Skip to content

[19.0][FIX] impersonate_login: preserve attachment creator ownership#907

Open
gdgellatly wants to merge 1 commit intoOCA:19.0from
gdgellatly:gdg-fix-impersonate-attachment-access-19
Open

[19.0][FIX] impersonate_login: preserve attachment creator ownership#907
gdgellatly wants to merge 1 commit intoOCA:19.0from
gdgellatly:gdg-fix-impersonate-attachment-access-19

Conversation

@gdgellatly
Copy link

@gdgellatly gdgellatly commented Mar 9, 2026
edited
Loading

Summary

  • Avoid rewriting create_uid / write_uid on ir.attachment during impersonation in impersonate_login.
  • This keeps Odoo core attachment access semantics for temporary/generated attachments (not yet linked to a record via res_model/res_id).
  • Fixes access errors during PO confirm/email compose where generated report attachments were created under the original impersonator and immediately unreadable by the active impersonated user.

Options considered

  • Option A (implemented): Exclude ir.attachment from impersonate create_uid/write_uid rewriting in base overrides.
    • Pros: very small patch, aligns with core ir.attachment ownership checks, no security rule override.
    • Cons: attachment audit attribution stays with effective user instead of impersonator for these records.
  • Option B (tried, reverted): Narrow ir.attachment._check_access override to whitelist only orphan attachments created by impersonate_from_uid in impersonated sessions.
    • This initially caused a recursion error because filtering forbidden attachment records triggered attachment access checks again.
    • Even after a recursion-safe adjustment, behavior remained brittle and more invasive in a security-critical path.
  • Option C (rejected): Broadly bypass core attachment check branch around owner mismatch.
    • Rejected as too risky from a security perspective.

Failures observed during investigation

  • Access error on read for generated attachment in mail compose flow:
    • Sorry, you are not allowed to access this document ... Records: ir.attachment(...), User: <impersonated uid>
  • Recursion failure with _check_access override approach:
    • RecursionError: maximum recursion depth exceeded

@gdgellatly
[FIX] impersonate_login: keep attachment ownership for access checks
7e68d04 
Avoid rewriting create_uid/write_uid on ir.attachment during impersonation.
Temporary report/email attachments may be created without res_model/res_id and
core access checks rely on creator ownership for read access in that case.
@gdgellatly
Copy link
Author

gdgellatly commented Mar 9, 2026

This came up in testing a workflow that automatically popped a mail template with an attachment, purchases specifically. I tried to make real narrow but I either got recursion errors or same access error.

@gdgellatly
Copy link
Author

gdgellatly commented Mar 9, 2026

I am just wondering if my experience is a symptom of #904 and the storing of mail messages

@OCA-git-bot
Copy link
Contributor

OCA-git-bot commented Mar 9, 2026

Hi @Kev-Roche,
some modules you are maintaining are being modified, check this out!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gdgellatly @OCA-git-bot