21 lines
1.3 KiB
Diff
21 lines
1.3 KiB
Diff
diff --git a/odoo/addons/base/models/ir_attachment.py b/odoo/addons/base/models/ir_attachment.py
|
|
index f1d8701a1..0f7926756 100644
|
|
--- a/odoo/addons/base/models/ir_attachment.py
|
|
+++ b/odoo/addons/base/models/ir_attachment.py
|
|
@@ -416,9 +416,13 @@ class IrAttachment(models.Model):
|
|
""" Restricts the access to an ir.attachment, according to referred mode """
|
|
if self.env.is_superuser():
|
|
return True
|
|
- # Always require an internal user (aka, employee) to access to a attachment
|
|
+ # Either internal users or Portal users (for some models) have access to attachments
|
|
if not (self.env.is_admin() or self.env.user.has_group('base.group_user')):
|
|
- raise AccessError(_("Sorry, you are not allowed to access this document."))
|
|
+ res_models = ['account.move', 'stock.picking',
|
|
+ 'stock.certificate', 'stock.delivery']
|
|
+ if not self.res_model or not self.res_id or self.res_model not in res_models:
|
|
+ raise AccessError(_("Sorry, you are not allowed to access this document."))
|
|
+ self.env[self.res_model].browse(self.res_id).check_access_rule('read')
|
|
# collect the records to check (by model)
|
|
model_ids = defaultdict(set) # {model_name: set(ids)}
|
|
if self:
|