[IMP] ir_ui_view: improve security dev. Log a warning message if the browse record used in the views have a SUPERUSER access.
bzr revid: chm@openerp.com-20131008095805-8ek62kl4k0spw9b8
This commit is contained in:
parent
e5d67ad2e0
commit
1a0b74d033
|
@ -24,20 +24,18 @@ import logging
|
|||
from lxml import etree
|
||||
from operator import itemgetter
|
||||
import os
|
||||
import sys
|
||||
import re
|
||||
import time
|
||||
|
||||
import HTMLParser
|
||||
from lxml import etree, html
|
||||
from functools import partial
|
||||
|
||||
import openerp
|
||||
from openerp import tools
|
||||
from openerp.osv import fields, osv, orm
|
||||
from openerp.tools import graph, SKIPPED_ELEMENT_TYPES
|
||||
from openerp.tools.safe_eval import safe_eval as eval
|
||||
from openerp.tools.view_validation import valid_view
|
||||
from openerp.tools import misc, qweb
|
||||
from openerp.osv.orm import browse_record, browse_record_list
|
||||
|
||||
_logger = logging.getLogger(__name__)
|
||||
|
||||
|
@ -771,9 +769,20 @@ class view(osv.osv):
|
|||
def render(self, cr, uid, id_or_xml_id, values, context=None):
|
||||
if not context:
|
||||
context = {}
|
||||
|
||||
def check_user_access(values):
|
||||
for key in values:
|
||||
value = isinstance(values, (dict,)) and values[key] or key
|
||||
if isinstance(value, (browse_record,)):
|
||||
if value.__dict__.get('_uid') == openerp.SUPERUSER_ID and uid != openerp.SUPERUSER_ID:
|
||||
message = 'SUPERUSER_ID Access used for rendering "%s" in a xml view: %s' % (key, id_or_xml_id,)
|
||||
_logger.warn(message)
|
||||
elif isinstance(value, (dict, list, browse_record_list,)):
|
||||
check_user_access(value)
|
||||
check_user_access(values)
|
||||
|
||||
def loader(name):
|
||||
return self.read_template(cr, uid, name, context=context)
|
||||
|
||||
engine = qweb.QWebXml(loader=loader, undefined_handler=lambda key, v: None)
|
||||
return engine.render(id_or_xml_id, values)
|
||||
|
||||
|
|
Loading…
Reference in New Issue