[18.0][FIX] point_of_sale: search_read with elevated access#1308
Open
yotsubasuzu wants to merge 1 commit intoOCA:18.0from
Open
[18.0][FIX] point_of_sale: search_read with elevated access#1308yotsubasuzu wants to merge 1 commit intoOCA:18.0from
yotsubasuzu wants to merge 1 commit intoOCA:18.0from
Conversation
Member
|
This is not the proper solution, but to put And this is an Odoo bug, but it's covered by the auto-install mechanism, but this doesn't mean it's correct. Please propose the patch in odoo/odoo as well. |
yotsubasuzu
force-pushed
the
18.0-fix-missing-access-right
branch
from
5032ec8 to
7e96d13
Compare
Author
|
Thank you Pedro, I have update the code as you suggested and in odoo/odoo PR as well. |
Previously, users in the base.group_user group encountered an AccessError when attempting to read the ir.module.module model. This was due to the base_install_request auto-install mechanism being disabled, which removed the implicit read access that non-admin users previously relied on. To resolve this issue, this commit updates the _load_pos_data method to explicitly elevate privileges using sudo() when calling search_read() on the model. This ensures that the operation is executed with administrative rights, allowing all users to retrieve module metadata safely, regardless of their group permissions.
yotsubasuzu
force-pushed
the
18.0-fix-missing-access-right
branch
from
7e96d13 to
7b320b4
Compare
yotsubasuzu
changed the title
Member
|
Can you please propose the same to odoo/odoo first? It's better if it's fixed upstream. |
Author
|
Yeah it's the PR I mentioned above, still waiting for their reviews. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description of the issue/feature this PR addresses:
In the repository OCA/POS PR
test with OCBhave been failing since PR #1301 was merged.You can see an example of the failing test here: https://github.com/OCA/pos/actions/runs/16340188713/job/46160658528?pr=1406#step:8:147.
The failures occur because PR#1301 disables the
base_install_requestauto-install mechanism, which previously granted implicit read access to their.module.modulemodel for users in thebase.group_usergroup. With that mechanism turned off, these users now receive anAccessErrorwhen attempting to readir.module.modulein code paths such as:(pos.session.load_data)[https://github.com/odoo/odoo/blob/18.0/addons/point_of_sale/models/pos_session.py#L185]
Desired behavior after PR is merged:
This PR adds
sudoto elevated access tosearch_readmethod in their.module.modulemodel.Related Works
In parallel, I have submitted PR odoo#219367 to the Odoo main repository to address this issues with the same changes in the same context.
I confirm I have signed the CLA and read the PR guidelines at www.odoo.com/submit-pr