[FIX] rma: portal views access errors

- Portal mail thread needs token config.
- Unpublished products will raise AccessError on RMAs portal views for
portal users due to record rules.
- Ensure active_id when getting actions in rma, since we could come from
a context that pollutes the expected active rma id.

Author: chienandalu

rma/models/rma.py

@@ -599,7 +599,10 @@ def action_replace(self):
         """Invoked when 'Replace' button in rma form view is clicked."""
         self.ensure_one()
         self._ensure_can_be_replaced()
-        action = self.env.ref("rma.rma_delivery_wizard_action").read()[0]
+        # Force active_id to avoid issues when coming from smart buttons
+        # in other models
+        action = self.env.ref("rma.rma_delivery_wizard_action").with_context(
+            active_id=self.id).read()[0]
         action['name'] = 'Replace product(s)'
         action['context'] = dict(self.env.context)
         action['context'].update(
@@ -615,7 +618,10 @@ def action_return(self):
         """
         self.ensure_one()
         self._ensure_can_be_returned()
-        action = self.env.ref("rma.rma_delivery_wizard_action").read()[0]
+        # Force active_id to avoid issues when coming from smart buttons
+        # in other models
+        action = self.env.ref("rma.rma_delivery_wizard_action").with_context(
+            active_id=self.id).read()[0]
         action['context'] = dict(self.env.context)
         action['context'].update(
             active_id=self.id,
@@ -628,9 +634,12 @@ def action_split(self):
         """Invoked when 'Split' button in rma form view is clicked."""
         self.ensure_one()
         self._ensure_can_be_split()
-        action = self.env.ref("rma.rma_split_wizard_action").read()[0]
+        # Force active_id to avoid issues when coming from smart buttons
+        # in other models
+        action = self.env.ref("rma.rma_split_wizard_action").with_context(
+            active_id=self.id).read()[0]
         action['context'] = dict(self.env.context)
-        action['context'].update(active_ids=self.ids)
+        action['context'].update(active_id=self.id, active_ids=self.ids)
         return action
 
     def action_cancel(self):
@@ -663,7 +672,10 @@ def action_preview(self):
     def action_view_receipt(self):
         """Invoked when 'Receipt' smart button in rma form view is clicked."""
         self.ensure_one()
-        action = self.env.ref('stock.action_picking_tree_all').read()[0]
+        # Force active_id to avoid issues when coming from smart buttons
+        # in other models
+        action = self.env.ref('stock.action_picking_tree_all').with_context(
+            active_id=self.id).read()[0]
         action.update(
             res_id=self.reception_move_id.picking_id.id,
             view_mode="form",
@@ -687,7 +699,8 @@ def action_view_refund(self):
 
     def action_view_delivery(self):
         """Invoked when 'Delivery' smart button in rma form view is clicked."""
-        action = self.env.ref('stock.action_picking_tree_all').read()[0]
+        action = self.env.ref('stock.action_picking_tree_all').with_context(
+            active_id=self.id).read()[0]
         picking = self.delivery_move_ids.mapped('picking_id')
         if len(picking) > 1:
             action['domain'] = [('id', 'in', picking.ids)]

rma/views/rma_portal_templates.xml

@@ -50,7 +50,8 @@
                             </a>
                         </td>
                         <td class="d-none d-md-table-cell"><span t-field="rma.date"/></td>
-                        <td><span t-field="rma.product_id.name"/></td>
+                        <!-- Portal users don't have access to unpublished products -->
+                        <td><span t-esc="rma.sudo().product_id.display_name"/></td>
                         <td class='text-right'><span t-field="rma.product_uom_qty"/></td>
                         <td class="d-none d-md-table-cell tx_status">
                             <span class="badge badge-pill badge-secondary"><span t-field="rma.state"/></span>
@@ -132,12 +133,14 @@
                                         <span t-field="rma.picking_id"/>
                                     </div>
                                 </div>
-                                <div t-if="rma.product_id" class="row mb-2 mb-sm-1">
+                                <!-- We need to prevent access errors if the product is
+                                     unpublished-->
+                                <div t-if="rma.sudo().product_id" class="row mb-2 mb-sm-1">
                                     <div class="col-12 col-sm-4">
                                         <strong>Product</strong>
                                     </div>
                                     <div class="col-12 col-sm-8">
-                                        <span t-field="rma.product_id"/>
+                                        <span t-esc="rma.sudo().product_id.display_name"/>
                                     </div>
                                 </div>
                                 <div t-if="rma.product_uom_qty" class="row mb-2 mb-sm-1">
@@ -262,6 +265,9 @@
                 <h2>Communication</h2>
                 <t t-call="portal.message_thread">
                     <t t-set="object" t-value="rma"/>
+                    <t t-set="token" t-value="rma.access_token"/>
+                    <t t-set="pid" t-value="pid"/>
+                    <t t-set="hash" t-value="hash"/>
                 </t>
             </div>
         </t>