From 87600e18bb05d506a974b78ebfca13c016afd540 Mon Sep 17 00:00:00 2001
From: Enrique <enriquemartin@digital5.es>
Date: Wed, 9 Oct 2019 17:03:51 +0200
Subject: [PATCH] [12.0][FIX] contract & contract_sale - security fix

The lowest model access for contract.contract model is group_account_invoice group. However the addon adds two smart buttons to res.partner view without any security restrictions and without compute_sudo attribute on computed fields.
This causes the view to crash when a user without the proper permissions tries to access the res.partner form view.
The solution adds groups_id to the partner form views in which the buttons are added, so the only loads when the user has proper permissions.
Other way to solve it would be to add compute_sudo attribute to the relevant fields, but this causes an access error when the user clicks on the smart buttons.
---
 contract/views/res_partner_view.xml      | 1 +
 contract_sale/__manifest__.py            | 1 +
 contract_sale/views/res_partner_view.xml | 8 ++++++++
 3 files changed, 10 insertions(+)
 create mode 100644 contract_sale/views/res_partner_view.xml

diff --git a/contract/views/res_partner_view.xml b/contract/views/res_partner_view.xml
index 378f9cb3..cda22f4a 100644
--- a/contract/views/res_partner_view.xml
+++ b/contract/views/res_partner_view.xml
@@ -6,6 +6,7 @@
     <record id="view_partner_form" model="ir.ui.view">
         <field name="inherit_id" ref="base.view_partner_form" />
         <field name="model">res.partner</field>
+        <field name="groups_id" eval="[(4, ref('account.group_account_invoice'))]"/>
         <field type="xml" name="arch">
         <xpath expr="//div[@name='button_box']" position="inside">
             <button name="act_show_contract" type="object" class="oe_stat_button"
diff --git a/contract_sale/__manifest__.py b/contract_sale/__manifest__.py
index 25155532..8c1fe27f 100644
--- a/contract_sale/__manifest__.py
+++ b/contract_sale/__manifest__.py
@@ -19,6 +19,7 @@
         'views/contract.xml',
         'views/contract_line.xml',
         'views/contract_template.xml',
+        'views/res_partner_view.xml',
     ],
     'license': 'AGPL-3',
     'installable': True,
diff --git a/contract_sale/views/res_partner_view.xml b/contract_sale/views/res_partner_view.xml
new file mode 100644
index 00000000..d060e6d7
--- /dev/null
+++ b/contract_sale/views/res_partner_view.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8"?>
+<odoo>
+
+    <record id="contract.view_partner_form" model="ir.ui.view">
+        <field name="groups_id" eval="[(4, ref('sales_team.group_sale_salesman'))]"/>
+    </record>
+
+</odoo>