From c1a4eb6f730122e716cd129b6626383fa7217712 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?V=C3=ADctor=20Mart=C3=ADnez?=
 <victor.martinez@tecnativa.com>
Date: Wed, 10 Jul 2024 08:40:50 +0200
Subject: [PATCH 1/2] [IMP] resource_booking: Add search to partner_id field to
 prevent "wrong" results

TT50035
---
 resource_booking/models/resource_booking.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/resource_booking/models/resource_booking.py b/resource_booking/models/resource_booking.py
index 85087983..40e395be 100644
--- a/resource_booking/models/resource_booking.py
+++ b/resource_booking/models/resource_booking.py
@@ -127,6 +127,7 @@ class ResourceBooking(models.Model):
         comodel_name="res.partner",
         compute="_compute_partner_id",
         inverse="_inverse_partner_id",
+        search="_search_partner_id",
         readonly=False,
         string="Requester",
     )
@@ -228,6 +229,14 @@ def _inverse_partner_id(self):
         for one in self:
             one.partner_ids = one.partner_id
 
+    @api.model
+    def _search_partner_id(self, operator, value):
+        """Overwrite this for security, partner_id field is not stored and if we search
+        for it by mistake (or out of ignorance) we will get all the records.
+        To avoid this behavior, we search for the correct field: partner_ids
+        """
+        return [("partner_ids", operator, value)]
+
     @api.model
     def _default_user_id(self):
         return self.env.user

From d97ee4b9fd7b02fd345218076291ea917a68ef50 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?V=C3=ADctor=20Mart=C3=ADnez?=
 <victor.martinez@tecnativa.com>
Date: Wed, 10 Jul 2024 16:20:45 +0200
Subject: [PATCH 2/2] [OU-IMP] resource_booking: Add noupdate_changes.xml

TT50035
---
 .../migrations/15.0.1.4.0/noupdate_changes.xml      | 13 +++++++++++++
 .../migrations/15.0.1.4.0/post-migration.py         |  3 +++
 2 files changed, 16 insertions(+)
 create mode 100644 resource_booking/migrations/15.0.1.4.0/noupdate_changes.xml

diff --git a/resource_booking/migrations/15.0.1.4.0/noupdate_changes.xml b/resource_booking/migrations/15.0.1.4.0/noupdate_changes.xml
new file mode 100644
index 00000000..605ee209
--- /dev/null
+++ b/resource_booking/migrations/15.0.1.4.0/noupdate_changes.xml
@@ -0,0 +1,13 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<odoo>
+    <record id="rule_resource_booking_portal" model="ir.rule">
+        <field
+            name="domain_force"
+        >['|', ('partner_ids', 'child_of', user.partner_id.ids), ('message_partner_ids', 'child_of', user.partner_id.ids)]</field>
+    </record>
+    <record id="rule_resource_booking_user" model="ir.rule">
+        <field
+            name="domain_force"
+        >['|', '|', ('partner_ids', 'child_of', user.partner_id.ids), ('message_partner_ids', 'child_of', user.partner_id.ids), ('combination_id.resource_ids.user_id', 'in', user.ids)]</field>
+    </record>
+</odoo>
diff --git a/resource_booking/migrations/15.0.1.4.0/post-migration.py b/resource_booking/migrations/15.0.1.4.0/post-migration.py
index 27678d64..2a2b8776 100644
--- a/resource_booking/migrations/15.0.1.4.0/post-migration.py
+++ b/resource_booking/migrations/15.0.1.4.0/post-migration.py
@@ -17,3 +17,6 @@ def convert_resource_booking_partners(env):
 def migrate(env, version):
     """Put partner_id in partner_ids"""
     convert_resource_booking_partners(env)
+    openupgrade.load_data(
+        env.cr, "resource_booking", "migrations/15.0.1.4.0/noupdate_changes.xml"
+    )