[FIX] edi_webservice_oca: use sudo to get webserivce backend info

queue.job task are running in the context with the user that create the edi exchage record as those user are able to create exchange they should be able to read webservice backend while sending data in order to etablish the connexion to send payloads to the related webserivce. We don't want to give explicit read access using access model record to avoid user to retreives third party service credentials. Co-authored-by: Simone Orsi <[email protected]>
OCA · Dec 19, 2023 · f01bde0 · f01bde0
1 parent 307a7bc
commit f01bde0
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 3 deletions.
diff --git a/edi_webservice_oca/models/edi_backend.py b/edi_webservice_oca/models/edi_backend.py
@@ -5,7 +5,6 @@
 
 
 class EdiBackend(models.Model):
-
  _inherit = "edi.backend"
 
  webservice_backend_id = fields.Many2one("webservice.backend")
@@ -22,7 +21,7 @@ def _component_match_attrs(self, exchange_record, key):
  res = super()._component_match_attrs(exchange_record, key)
  if not self.webservice_backend_id or key not in self._webservice_actions:
  return res
- res["webservice_protocol"] = self.webservice_backend_id.protocol
+ res["webservice_protocol"] = self.webservice_backend_id.sudo().protocol
  return res
 
  def _component_sort_key(self, component_class):

diff --git a/edi_webservice_oca/tests/test_send.py b/edi_webservice_oca/tests/test_send.py
@@ -40,6 +40,24 @@ def _setup_records(cls):
  endpoint: push/here
  """
  cls.record.type_id.set_settings(cls.settings1)
+ cls.a_user = (
+ cls.env["res.users"]
+ .with_context(no_reset_password=True)
+ .create(
+ {
+ "name": "foo",
+ "login": "a_user",
+ "email": "[email protected]",
+ "groups_id": [
+ (
+ 6,
+ 0,
+ (cls.env.ref("base.group_user")).ids,
+ )
+ ],
+ }
+ )
+ )
 
  def test_find_component(self):
  component = self.backend._get_component(self.record, "send")
@@ -79,9 +97,15 @@ def test_component_params(self):
  @responses.activate
  def test_component_send(self):
  self.record.type_id.set_settings(self.settings2)
+ # Internal user should be able to call the third party webservice
+ # without read access (no ir.access.model records)
+ # on `webservice.backend` model which store credentials
+ record = self.record.with_user(self.a_user)
+ backend = self.backend.with_user(self.a_user)
+
  url = "https://foo.test/push/here"
  responses.add(responses.POST, url, body="{}")
- component = self.backend._get_component(self.record, "send")
+ component = backend._get_component(record, "send")
  result = component.send()
  self.assertEqual(result, b"{}")
  self.assertEqual(