mirror of
https://github.com/OCA/knowledge.git
synced 2025-07-14 01:41:26 -06:00
25ceed4377
The previous code allowed any authenticated to retreive any attachment present
on odoo filesystem. So a WMS user could technically spoken download a zip with
accounting documents.
This implementation is calling attachemnt.check("read") to ensure access
right and use attachemnt.raw attribute to retreive file to archive which
(not test) should works with attachment saved somewhere else than the
local filesystem (s3 storage, pgsql large object storage...).
attachment_zipped_download 16.0.1.0.2
44 lines
1.4 KiB
Python
44 lines
1.4 KiB
Python
# Copyright 2019 César Fernández Domínguez <cesfernandez@outlook.com>
|
|
# Copyright 2022 Tecnativa - Víctor Martínez
|
|
# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl)
|
|
import zipfile
|
|
from io import BytesIO
|
|
|
|
from odoo import _, models
|
|
from odoo.exceptions import UserError
|
|
|
|
|
|
class IrAttachment(models.Model):
|
|
_inherit = "ir.attachment"
|
|
|
|
def action_attachments_download(self):
|
|
items = self.filtered(lambda x: x.type == "binary")
|
|
if not items:
|
|
raise UserError(
|
|
_("None attachment selected. Only binary attachments allowed.")
|
|
)
|
|
ids = ",".join(map(str, items.ids))
|
|
return {
|
|
"type": "ir.actions.act_url",
|
|
"url": "/web/attachment/download_zip?ids=%s" % (ids),
|
|
"target": "self",
|
|
}
|
|
|
|
def _create_temp_zip(self):
|
|
zip_buffer = BytesIO()
|
|
with zipfile.ZipFile(zip_buffer, "a", zipfile.ZIP_DEFLATED, False) as zip_file:
|
|
for attachment in self:
|
|
attachment.check("read")
|
|
zip_file.writestr(
|
|
attachment._compute_zip_file_name(),
|
|
attachment.raw,
|
|
)
|
|
zip_buffer.seek(0)
|
|
zip_file.close()
|
|
return zip_buffer
|
|
|
|
def _compute_zip_file_name(self):
|
|
"""Give a chance of easily changing the name of the file inside the ZIP."""
|
|
self.ensure_one()
|
|
return self.name
|