[FIX] attachment_zipped_download: zip allowed document only

The previous code allowed any authenticated to retreive any attachment present on odoo filesystem. So a WMS user could technically spoken download a zip with accounting documents. This implementation is calling attachemnt.check("read") to ensure access right and use attachemnt.raw attribute to retreive file to archive which (not test) should works with attachment saved somewhere else than the local filesystem (s3 storage, pgsql large object storage...).
2025-12-20 04:12:18 -06:00 · 2023-04-28 13:51:35 +02:00
parent 7b2ecf9340
commit 4c2c45ef0a
2 changed files with 76 additions and 19 deletions
--- a/attachment_zipped_download/models/ir_attachment.py
+++ b/attachment_zipped_download/models/ir_attachment.py
@@ -28,9 +28,16 @@ class IrAttachment(models.Model):
        zip_buffer = BytesIO()
        with zipfile.ZipFile(zip_buffer, "a", zipfile.ZIP_DEFLATED, False) as zip_file:
            for attachment in self:
-                zip_file.write(
-                    attachment._full_path(attachment.store_fname), attachment.name
+                attachment.check("read")
+                zip_file.writestr(
+                    attachment._compute_zip_file_name(),
+                    attachment.raw,
                )
            zip_buffer.seek(0)
            zip_file.close()
        return zip_buffer
+
+    def _compute_zip_file_name(self):
+        """Give a chance of easily changing the name of the file inside the ZIP."""
+        self.ensure_one()
+        return self.name