From 47e17f354a8e4ed64bd4f190e58d4b14c550cd1d Mon Sep 17 00:00:00 2001
From: Goncalo Brito <gbrito@gdsbb.org>
Date: Fri, 8 Nov 2024 10:20:42 +0100
Subject: [PATCH] [REF] fetch field data as user

Currently auditlog fetch field data as sudo
It doesn't make sense to use sudo to fetch the data since the user only
have access to edit fields that he has access too. By using sudo we
bypass multi company rules

This commit will fix #2554
---
 auditlog/models/rule.py | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/auditlog/models/rule.py b/auditlog/models/rule.py
index 42297e38451..eaa062a6863 100644
--- a/auditlog/models/rule.py
+++ b/auditlog/models/rule.py
@@ -287,7 +287,7 @@ def create_full(self, vals_list, **kwargs):
             # their values exist in cache.
             new_values = {}
             fields_list = rule_model.get_auditlog_fields(self)
-            for new_record in new_records.sudo():
+            for new_record in new_records:
                 new_values.setdefault(new_record.id, {})
                 for fname, field in new_record._fields.items():
                     if fname not in fields_list:
@@ -385,9 +385,7 @@ def write_full(self, vals, **kwargs):
             fields_list = rule_model.get_auditlog_fields(self)
             old_values = {
                 d["id"]: d
-                for d in self.sudo()
-                .with_context(prefetch_fields=False)
-                .read(fields_list)
+                for d in self.with_context(prefetch_fields=False).read(fields_list)
             }
             # invalidate_recordset method must be called with existing fields
             if self._name == "res.users":
@@ -398,9 +396,7 @@ def write_full(self, vals, **kwargs):
             result = write_full.origin(self, vals, **kwargs)
             new_values = {
                 d["id"]: d
-                for d in self.sudo()
-                .with_context(prefetch_fields=False)
-                .read(fields_list)
+                for d in self.with_context(prefetch_fields=False).read(fields_list)
             }
             if self.env.user in users_to_exclude:
                 return result
@@ -453,9 +449,7 @@ def unlink_full(self, **kwargs):
             fields_list = rule_model.get_auditlog_fields(self)
             old_values = {
                 d["id"]: d
-                for d in self.sudo()
-                .with_context(prefetch_fields=False)
-                .read(fields_list)
+                for d in self.with_context(prefetch_fields=False).read(fields_list)
             }
             if self.env.user in users_to_exclude:
                 return unlink_full.origin(self, **kwargs)