[IMP] website_event: avoid issue when registering as portal

A computed field on event may crash if current user is a portal user as it tries to access registrations to know if current user is already participating to the event. We also fix ACL on the registrations as most code already use it as sudo and do not access it directly. Only the event users or admins should access it directly. Task ID-2322411 PR #68699 Signed-off-by: Thibault Delavallee (tde) <tde@openerp.com>
odoo · Apr 27, 2021 · f7c95d9 · f7c95d9
1 parent 5391df9
commit f7c95d9
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 1 deletion.
diff --git a/addons/event/i18n/event.pot b/addons/event/i18n/event.pot
@@ -1502,6 +1502,12 @@ msgid "Online events like webinars do not require a specific location\n"
 "                                            and are hosted online."
 msgstr ""
 
+#. module: event
+#: code:addons/event/models/event.py:386
+#, python-format
+msgid "Only event users or managers are allowed to create or update registrations."
+msgstr "Only event users or managers are allowed to create or update registrations."
+
 #. module: event
 #: model:ir.model.fields,help:event.field_event_type_is_online
 msgid "Online events like webinars do not require a specific location and are hosted online."

diff --git a/addons/event/models/event.py b/addons/event/models/event.py
@@ -379,6 +379,14 @@ def create(self, vals):
             registration.sudo().confirm_registration()
         return registration
 
+    @api.model
+    def check_access_rights(self, operation, raise_exception=True):
+        if not self.env.user._is_admin() and not self.user_has_groups('event.group_event_user'):
+            if raise_exception:
+                raise AccessError(_('Only event users or managers are allowed to create or update registrations.'))
+            return False
+        return super(EventRegistration, self).check_access_rights(operation, raise_exception=raise_exception)
+
     @api.model
     def _prepare_attendee_values(self, registration):
         """ Method preparing the values to create new attendees based on a

diff --git a/addons/website_event/models/event.py b/addons/website_event/models/event.py
@@ -32,7 +32,7 @@ def _compute_is_participating(self):
             email = self.env.user.partner_id.email
             for event in self:
                 domain = ['&', '|', ('email', '=', email), ('partner_id', '=', self.env.user.partner_id.id), ('event_id', '=', event.id)]
-                event.is_participating = self.env['event.registration'].search_count(domain)
+                event.is_participating = self.env['event.registration'].sudo().search_count(domain)
 
     @api.multi
     @api.depends('name')