[FIX] web: do not allow to access a database if not matching db-filter

2014-09-05 14:57:20 +02:00 · 2014-09-05 14:57:20 +02:00 · 085ad7fcc4
parent f51dac038e
commit 085ad7fcc4
1 changed files with 5 additions and 3 deletions
--- a/addons/web/controllers/main.py
+++ b/addons/web/controllers/main.py
@ -101,13 +101,13 @@ def db_redirect(req, match_first_only_if_unique):
    db = False
    redirect = False

+    dbs = db_list(req, True)
+
    # 1 try the db in the url
    db_url = req.params.get('db')
-    if db_url:
+    if db_url and db_url in dbs:
        return (db_url, False)

-    dbs = db_list(req, True)
-
    # 2 use the database from the cookie if it's listable and still listed
    cookie_db = req.httprequest.cookies.get('last_used_database')
    if cookie_db in dbs:
@ -584,6 +584,8 @@ class Home(openerpweb.Controller):

    @openerpweb.httprequest
    def login(self, req, db, login, key):
+        if db not in db_list(req, True):
+            return werkzeug.utils.redirect('/', 303)
        return login_and_redirect(req, db, login, key)

 class WebClient(openerpweb.Controller):