[FIX] web: do not allow to access a database if not matching db-filter
This commit is contained in:
parent
f51dac038e
commit
085ad7fcc4
|
@ -101,13 +101,13 @@ def db_redirect(req, match_first_only_if_unique):
|
|||
db = False
|
||||
redirect = False
|
||||
|
||||
dbs = db_list(req, True)
|
||||
|
||||
# 1 try the db in the url
|
||||
db_url = req.params.get('db')
|
||||
if db_url:
|
||||
if db_url and db_url in dbs:
|
||||
return (db_url, False)
|
||||
|
||||
dbs = db_list(req, True)
|
||||
|
||||
# 2 use the database from the cookie if it's listable and still listed
|
||||
cookie_db = req.httprequest.cookies.get('last_used_database')
|
||||
if cookie_db in dbs:
|
||||
|
@ -584,6 +584,8 @@ class Home(openerpweb.Controller):
|
|||
|
||||
@openerpweb.httprequest
|
||||
def login(self, req, db, login, key):
|
||||
if db not in db_list(req, True):
|
||||
return werkzeug.utils.redirect('/', 303)
|
||||
return login_and_redirect(req, db, login, key)
|
||||
|
||||
class WebClient(openerpweb.Controller):
|
||||
|
|
Loading…
Reference in New Issue