From badb18208f167f33d08872e53933b514c7e1702f Mon Sep 17 00:00:00 2001
From: "Jorge E. Gomez" <jegomez@agofer.com.co>
Date: Mon, 6 Feb 2023 18:18:21 -0500
Subject: [PATCH] [NEW] Patches Core to allow attachment access from portal
 users

---
 apply_patches.sh                                 |  1 +
 ...nt_allow-portal-users-attachment-access.patch | 16 ++++++++++++++++
 2 files changed, 17 insertions(+)
 create mode 100644 patches/20230206_ir-attachment_allow-portal-users-attachment-access.patch

diff --git a/apply_patches.sh b/apply_patches.sh
index cac900d..fa404d7 100755
--- a/apply_patches.sh
+++ b/apply_patches.sh
@@ -35,6 +35,7 @@ pt_core ()
     pushd $DEST
     git apply $OPTIONS $SRC/patches/20210603_auth-oauth_redirects-to-root.patch
     git apply $OPTIONS $SRC/patches/20220131_purchase-requisition_match-variant.patch    
+    git apply $OPTIONS $SRC/patches/20230206_ir-attachment_allow-portal-users-attachment-access.patch
     # Reverted in https://github.com/odoo/odoo/commit/8d1d62a8c0746abb30f97290304b761f74111a89:
     #git apply $OPTIONS $SRC/patches/20220204_mail_re-enables-buttons-in-notifications.patch
     popd
diff --git a/patches/20230206_ir-attachment_allow-portal-users-attachment-access.patch b/patches/20230206_ir-attachment_allow-portal-users-attachment-access.patch
new file mode 100644
index 0000000..9809e6f
--- /dev/null
+++ b/patches/20230206_ir-attachment_allow-portal-users-attachment-access.patch
@@ -0,0 +1,16 @@
+diff --git a/odoo/addons/base/models/ir_attachment.py b/odoo/addons/base/models/ir_attachment.py
+index f1d8701a1..0f7926756 100644
+--- a/odoo/addons/base/models/ir_attachment.py
++++ b/odoo/addons/base/models/ir_attachment.py
+@@ -417,7 +417,10 @@ class IrAttachment(models.Model):
+             return True
+         # Always require an internal user (aka, employee) to access to a attachment
+         if not (self.env.is_admin() or self.env.user.has_group('base.group_user')):
+-            raise AccessError(_("Sorry, you are not allowed to access this document."))
++            res_models = ['account.move', 'stock.picking']
++            if not self.res_model or not self.res_id or self.res_model not in res_models:
++                raise AccessError(_("Sorry, you are not allowed to access this document."))
++            self.env[self.res_model].browse(self.res_id).check_access_rule('read')
+         # collect the records to check (by model)
+         model_ids = defaultdict(set)            # {model_name: set(ids)}
+         if self: