[18.0][MIG] dms: Migration to 18.0 #385
Conversation
versions of muk_dms than 12.0.2.0.0. Tested from 1.2.4 version.
In v13, this test is programmed in such a way that the demo user is supposed to be able to copy that subdirectory: https://github.com/OCA/dms/blob/c3f802db43362127e70d8c7b4987fb71d4c1f01c/dms/tests/test_directory.py#L40 However, in OCA#7 that test was modified indicating that demo user didn't have permissions to do that: https://github.com/OCA/dms/blob/e3b6d8d24534f2a68bfb88e310cc70cefe46bb64/dms/tests/test_directory.py#L39 Rolling back that change to ensure premissions remain the same in both versions of the module. Also changing the directory to test to ensure it contains no SVG files, whose detection seems to differ among environments, and which have some specific permission restrictions that can make the modified test fail or pass. @Tecnativa TT25645
Issue solved |
victoralmau
left a comment
victoralmau
left a comment
There was a problem hiding this comment.
Some comments:
- I don't understand why you are changing the “basis” of how this module works, the permissions of directories and files, something that has specific, intentional and appropriate behavior in v17. The migration is to adapt what is necessary to v18, not to change the behavior completely as you are doing. If something is incorrect in v17 it should be fixed there first.
- There is no need to create extra commits to fix something that should be fixed in v18 ([FIX] dms: fix access rules for beter security for example), all changes related to the version change should be done in the migration commit.
| import {useBus, useService} from "@web/core/utils/hooks"; | ||
| import {_t} from "@web/core/l10n/translation"; | ||
|
|
||
| const {useRef, useEffect, useState} = owl; |
There was a problem hiding this comment.
| const {useRef, useEffect, useState} = owl; | |
| import {useRef, useEffect, useState} from "@odoo/owl"; |
There was a problem hiding this comment.
This suggestion does not change the functionality, I use this syntax outside odoo if I use OWL in other web apps like Flask.
I can merge better code, and a fix code but this one is alike to the old one :)
| @@ -0,0 +1,173 @@ | |||
| /** @odoo-module */ | |||
There was a problem hiding this comment.
| /** @odoo-module */ |
/** @odoo-module **/ can be removed from the JS files. Reference: odoo/odoo#142858
There was a problem hiding this comment.
I understand that in 18.0 definition is no longer necessary, I also wonder why they did not remove it all from the 18.0 brnch?
anyway, this change can be taken into account, thanks.
Dear @victoralmau I well known that you made a lot of contribution on this project and many other fascinating projects. I am relying on dms module and we take it priority same as EE documents module or maybe more. For that reason we need everything to be optimized with no gap!! I observed the security gap once I started migration, and I asked you and @etobella for helping me in migration. we are a community and no body can do all the work alone! Maybe I am interested in 18.0 but you are interested in 17.0 and someone else is interested in 16.0. So that I finished the migration alone but I had to solve the issue appeared to me here alone. I asked you about some rules domains and I did not get a convincing answer, even some reviewers found the issues and I couldn't justify as I myself was not convinced. For that reason and for having customers upload serious private documents we should have a module takes into account ultimate security and privacy for each partner alone. I hope you have seen the videos and liked them, if so I encourage you and others to continue what I have started in the versions of your interest that you can review and debug. Now I am satisfied with what I have done till you decide to merge or to modify, as long as it is a contribution it is owned by every contributor. |
|
@kobros-tech in a community, we should try to drive things to make them feasible for the actors, and asking the double effort of both reviewing the migration and the changes, and more without having clear (except for videos, which are not very explanatory IMO), the behavior changes, makes that this pull request will hardly be mergeable. Please start just making a plain migration to the new version, and the open other PR and focus on that changes, and always try to explain in the cleanest way the problem you are trying to fix and how to do it. Take also into account that what you consider a problem, others may consider that behavior as a requirement for their needs. And even if not a requirement, just the change of behavior is something that needs to be handled (for example, with migration scripts). Can you please split then the work? |
|
@pedrobaeza I will start it now |
kobros-tech
force-pushed
the
18.0-mig-dms
branch
from
5d2860c to
f0908f5
Compare
|
The fix for 17.0 is on this closed PR |
| base_sql = """( | ||
| SELECT | ||
| dir_group_rel.aid | ||
| FROM | ||
| dms_directory_complete_groups_rel AS dir_group_rel | ||
| INNER JOIN dms_access_group AS dag | ||
| ON dir_group_rel.gid = dag.id | ||
| INNER JOIN dms_access_group_users_rel AS users | ||
| ON users.gid = dag.id | ||
| WHERE | ||
| users.uid = %s | ||
| )""" | ||
| if operation == "read": | ||
| sql = SQL( | ||
| base_sql, | ||
| self.env.uid, | ||
| ) | ||
| else: | ||
| base_sql = f"""( | ||
| SELECT | ||
| dir_group_rel.aid | ||
| FROM | ||
| dms_directory_complete_groups_rel AS dir_group_rel | ||
| INNER JOIN dms_access_group AS dag | ||
| ON dir_group_rel.gid = dag.id | ||
| INNER JOIN dms_access_group_users_rel AS users | ||
| ON users.gid = dag.id | ||
| WHERE | ||
| users.uid = %s {self._OPERATION_CONDITIONS[operation]} | ||
| )""" | ||
| sql = SQL( | ||
| base_sql, | ||
| self.env.uid, | ||
| ) | ||
| return sql |
There was a problem hiding this comment.
Although the result is the same, can you reduce the diff to do everything without if/else (just as it was before)?
| <field name="perm_write" eval="0" /> | ||
| <field name="perm_unlink" eval="0" /> | ||
| <field name="domain_force">[('permission_create', '=', user.id)]</field> | ||
| <field name="domain_force">[('permission_create', '=', True)]</field> |
There was a problem hiding this comment.
According to the comments on #385 (comment) these changes (and everything related) are not necessary, the behavior that has been in place up to now should be maintained.
| <li | ||
| id="portal_breadcrumbs_documents" | ||
| t-if="page_name == 'dms_directory' or dms_directory" | ||
| t-attf-class="breadcrumb-item #{'active 'if not dms_directory else ''}" | ||
| > | ||
| <a | ||
| t-if="dms_directory" | ||
| t-attf-href="/my/dms?{{ keep_query() }}" | ||
| >Documents</a> | ||
| <t t-else="">Documents</t> | ||
| </li> |
There was a problem hiding this comment.
These changes are not necessary and it should be as before. The breadcrum will only be shown if access_token is not used (if it is used, probably there is no logged in user and adding the link to “/my/dms” does not make sense because it will not work).
The cause of security suspecion can be shown in this example:`
` |
|
|
|
The UI looks like it's broken. Maybe this PR will be useful for you when changing some outdated classes in the upstream codebase: OCA/odoo-module-migrator#121 Menu Documents > Files
Menu Documents > Directories
|
|
As discussed at #385 (comment), can you continue this PR with only the necessary migration changes? |
|
compare version version version version note: I think the tag names should be written in regular like version 16.0 instead of bold |
|
Can you check why portal users can access the list and download all the files? |
Apply this commit and and watch description video and review if you need to limit accessing files. |
|
Sorry, are you going to continue this migration PR with the extra security rule changes you have added? #385 (comment) I just intend to clarify, otherwise, this PR will not work (at least for me) because it has changes that are not necessary and deform the existing behavior in previous versions, therefore, I will create a new one re-using the changes that are from the migration in a new PR. |
all right, ping us and will be reviewing with you there if you need. |
Everything is commented and explained at #392, but in any case, all those changes should not be included here. |
|
Superseded by #399 |
|
Yes, having the fact that this PR is introducing debatable behavior changes, let's do the raw migration, and discuss in subsequent PRs the convenience of the other changes. |
20 participants
No description provided.