[FIX] calendar: events privacy for uninvited admins

This commit reverts odoo#133504, as it was deliberating access to private event information to uninvited administrators in the calendar view. Only the event organizer and its attendees must be able to fetch private events information. In addition, two tests have been added to: 1. ensure the confidentiality of private events from uninvited administrators and 2. prohibit uninvited administrators from edit the information of any event, private or not. task-3837646 closes odoo#160308 Signed-off-by: Yannick Tivisse (yti) <[email protected]> Signed-off-by: Gabriel de Paula Felix (gdpf) <[email protected]>
ursais · Apr 3, 2024 · a08e32d · a08e32d
1 parent 06b7e8c
commit a08e32d
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 1 deletion.
diff --git a/addons/calendar/models/calendar_event.py b/addons/calendar/models/calendar_event.py
@@ -288,7 +288,7 @@ def _compute_attendees_count(self):
     @api.depends_context('uid')
     def _compute_user_can_edit(self):
         for event in self:
-            event.user_can_edit = self.env.user in event.partner_ids.user_ids + event.user_id or self.env.user.has_group('base.group_partner_manager')
+            event.user_can_edit = self.env.user in event.partner_ids.user_ids + event.user_id
 
     @api.depends('attendee_ids')
     def _compute_invalid_email_partner_ids(self):

diff --git a/addons/calendar/tests/test_access_rights.py b/addons/calendar/tests/test_access_rights.py
@@ -18,6 +18,7 @@ def setUpClass(cls):
         cls.raoul = new_test_user(cls.env, login='raoul', groups='base.group_user')
         cls.george = new_test_user(cls.env, login='george', groups='base.group_user')
         cls.portal = new_test_user(cls.env, login='pot', groups='base.group_portal')
+        cls.admin_user = new_test_user(cls.env, login='admin_user', groups='base.group_partner_manager')
 
     def create_event(self, user, **values):
         return self.env['calendar.event'].with_user(user).create({
@@ -158,3 +159,40 @@ def test_meeting_edit_access_notification_handle_in_odoo(self):
             'start': datetime.now() + timedelta(days=2),
             'stop': datetime.now() + timedelta(days=2, hours=2),
         })
+
+    def test_admin_cant_fetch_uninvited_private_events(self):
+        """
+        Administrators must not be able to fetch information from private events which
+        they are not attending (i.e. events which it is not an event partner). The privacy
+        of the event information must always be kept. Public events can be read normally.
+        """
+        john_private_evt = self.create_event(self.john, name='priv', privacy='private', location='loc_1', description='priv')
+        john_public_evt = self.create_event(self.john, name='pub', privacy='public', location='loc_2', description='pub')
+        self.env.invalidate_all()
+
+        # For the private event, ensure that no private field can be read, such as: 'name', 'location' and 'description'.
+        for (field, value) in [('name', 'Busy'), ('location', False), ('description', False)]:
+            hidden_information = self.read_event(self.admin_user, john_private_evt, field)
+            self.assertEqual(hidden_information, value, "The field '%s' information must be hidden, even for uninvited admins." % field)
+
+        # For the public event, ensure that the same fields can be read by the admin.
+        for (field, value) in [('name', 'pub'), ('location', 'loc_2'), ('description', "<p>pub</p>")]:
+            field_information = self.read_event(self.admin_user, john_public_evt, field)
+            self.assertEqual(str(field_information), value, "The field '%s' information must be readable by the admin." % field)
+
+    def test_admin_cant_edit_uninvited_events(self):
+        """
+        Administrators must not be able to edit events that they are not attending.
+        The event is property of the organizer and its attendees only, private or not.
+        """
+        john_public_evt = self.create_event(self.john, name='pub', privacy='public', location='loc_2', description='pub')
+        john_private_evt = self.create_event(self.john, name='priv', privacy='private', location='loc_1', description='priv')
+
+        for event in [john_public_evt, john_private_evt]:
+            # Ensure that uninvited admin can not edit the event since it is not an event partner (attendee).
+            with self.assertRaises(AccessError):
+                event.with_user(self.admin_user)._compute_user_can_edit()
+
+            # Ensure that AccessError is raised when trying to update the uninvited event.
+            with self.assertRaises(AccessError):
+                event.with_user(self.admin_user).write({'name': 'forbidden-update'})