[IMP] ir_ui_view: improve security dev. Log a warning message if the browse record used in the views have a SUPERUSER access.

bzr revid: chm@openerp.com-20131008095805-8ek62kl4k0spw9b8

openerp/addons/base/ir/ir_ui_view.py

@@ -24,20 +24,18 @@ import logging
 from lxml import etree
 from operator import itemgetter
 import os
-import sys
-import re
 import time
 
 import HTMLParser
-from lxml import etree, html
-from functools import partial
 
+import openerp
 from openerp import tools
 from openerp.osv import fields, osv, orm
 from openerp.tools import graph, SKIPPED_ELEMENT_TYPES
 from openerp.tools.safe_eval import safe_eval as eval
 from openerp.tools.view_validation import valid_view
 from openerp.tools import misc, qweb
+from openerp.osv.orm import browse_record, browse_record_list
 
 _logger = logging.getLogger(__name__)
 
@@ -771,9 +769,20 @@ class view(osv.osv):
     def render(self, cr, uid, id_or_xml_id, values, context=None):
         if not context:
             context = {}
+
+        def check_user_access(values):
+            for key in values:
+                value =  isinstance(values, (dict,)) and values[key] or key
+                if isinstance(value, (browse_record,)):
+                    if value.__dict__.get('_uid') == openerp.SUPERUSER_ID and uid != openerp.SUPERUSER_ID:
+                        message = 'SUPERUSER_ID Access used for rendering "%s" in a xml view: %s' % (key, id_or_xml_id,)
+                        _logger.warn(message)
+                elif isinstance(value, (dict, list, browse_record_list,)):
+                    check_user_access(value)
+        check_user_access(values)
+
         def loader(name):
             return self.read_template(cr, uid, name, context=context)
-
         engine = qweb.QWebXml(loader=loader, undefined_handler=lambda key, v: None)
         return engine.render(id_or_xml_id, values)