From 370ad007cce0a68e245821f80feab8ad0685236b Mon Sep 17 00:00:00 2001
From: Pierre Verkest <pierreverkest84@gmail.com>
Date: Tue, 5 Sep 2023 17:51:02 +0200
Subject: [PATCH] [FIX] edi_webservice_oca: use sudo to get webserivce backend
 info

queue.job task are running in the context with the user that create
the edi exchage record as those user are able to create exchange
they should be able to read webservice backend while sending data
in order to etablish the connexion to send payloads
to the related webserivce.

We don't want to give explicit read access using access model
record to avoid user to retreives third party service credentials.

Co-authored-by: Simone Orsi <simahawk@users.noreply.github.com>
---
 edi_webservice_oca/models/edi_backend.py |  3 +--
 edi_webservice_oca/tests/test_send.py    | 26 +++++++++++++++++++++++-
 2 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/edi_webservice_oca/models/edi_backend.py b/edi_webservice_oca/models/edi_backend.py
index 48cc80b4ca1..dd1c2169424 100644
--- a/edi_webservice_oca/models/edi_backend.py
+++ b/edi_webservice_oca/models/edi_backend.py
@@ -5,7 +5,6 @@
 
 
 class EdiBackend(models.Model):
-
     _inherit = "edi.backend"
 
     webservice_backend_id = fields.Many2one("webservice.backend")
@@ -22,7 +21,7 @@ def _component_match_attrs(self, exchange_record, key):
         res = super()._component_match_attrs(exchange_record, key)
         if not self.webservice_backend_id or key not in self._webservice_actions:
             return res
-        res["webservice_protocol"] = self.webservice_backend_id.protocol
+        res["webservice_protocol"] = self.webservice_backend_id.sudo().protocol
         return res
 
     def _component_sort_key(self, component_class):
diff --git a/edi_webservice_oca/tests/test_send.py b/edi_webservice_oca/tests/test_send.py
index fb7c62248c7..f0660fb087a 100644
--- a/edi_webservice_oca/tests/test_send.py
+++ b/edi_webservice_oca/tests/test_send.py
@@ -40,6 +40,24 @@ def _setup_records(cls):
                     endpoint: push/here
         """
         cls.record.type_id.set_settings(cls.settings1)
+        cls.a_user = (
+            cls.env["res.users"]
+            .with_context(no_reset_password=True)
+            .create(
+                {
+                    "name": "foo",
+                    "login": "a_user",
+                    "email": "foo@bar.com",
+                    "groups_id": [
+                        (
+                            6,
+                            0,
+                            (cls.env.ref("base.group_user")).ids,
+                        )
+                    ],
+                }
+            )
+        )
 
     def test_find_component(self):
         component = self.backend._get_component(self.record, "send")
@@ -79,9 +97,15 @@ def test_component_params(self):
     @responses.activate
     def test_component_send(self):
         self.record.type_id.set_settings(self.settings2)
+        # Internal user should be able to call the third party webservice
+        # without read access (no ir.access.model records)
+        # on `webservice.backend` model which store credentials
+        record = self.record.with_user(self.a_user)
+        backend = self.backend.with_user(self.a_user)
+
         url = "https://foo.test/push/here"
         responses.add(responses.POST, url, body="{}")
-        component = self.backend._get_component(self.record, "send")
+        component = backend._get_component(record, "send")
         result = component.send()
         self.assertEqual(result, b"{}")
         self.assertEqual(