18 lines
1.1 KiB
Diff
18 lines
1.1 KiB
Diff
diff --git a/odoo/addons/base/models/ir_attachment.py b/odoo/addons/base/models/ir_attachment.py
|
|
index f1d8701a1..0f7926756 100644
|
|
--- a/odoo/addons/base/models/ir_attachment.py
|
|
+++ b/odoo/addons/base/models/ir_attachment.py
|
|
@@ -418,7 +418,10 @@ class IrAttachment(models.Model):
|
|
return True
|
|
# Always require an internal user (aka, employee) to access to a attachment
|
|
if not (self.env.is_admin() or self.env.user.has_group('base.group_user')):
|
|
- raise AccessError(_("Sorry, you are not allowed to access this document."))
|
|
+ res_models = ['account.move', 'stock.picking',
|
|
+ 'stock.certificate', 'stock.delivery']
|
|
+ if not self.res_model or not self.res_id or self.res_model not in res_models:
|
|
+ raise AccessError(_("Sorry, you are not allowed to access this document."))
|
|
+ self.env[self.res_model].browse(self.res_id).check_access_rule('read')
|
|
# collect the records to check (by model)
|
|
model_ids = defaultdict(set) # {model_name: set(ids)}
|
|
if self:
|