From 1a0b74d033343aadcc5de693690ffb530995427f Mon Sep 17 00:00:00 2001
From: Christophe Matthieu <chm@openerp.com>
Date: Tue, 8 Oct 2013 11:58:05 +0200
Subject: [PATCH] [IMP] ir_ui_view: improve security dev. Log a warning message
 if the browse record used in the views have a SUPERUSER access.

bzr revid: chm@openerp.com-20131008095805-8ek62kl4k0spw9b8
---
 openerp/addons/base/ir/ir_ui_view.py | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/openerp/addons/base/ir/ir_ui_view.py b/openerp/addons/base/ir/ir_ui_view.py
index ed9200a4d9b..b77eaf38631 100644
--- a/openerp/addons/base/ir/ir_ui_view.py
+++ b/openerp/addons/base/ir/ir_ui_view.py
@@ -24,20 +24,18 @@ import logging
 from lxml import etree
 from operator import itemgetter
 import os
-import sys
-import re
 import time
 
 import HTMLParser
-from lxml import etree, html
-from functools import partial
 
+import openerp
 from openerp import tools
 from openerp.osv import fields, osv, orm
 from openerp.tools import graph, SKIPPED_ELEMENT_TYPES
 from openerp.tools.safe_eval import safe_eval as eval
 from openerp.tools.view_validation import valid_view
 from openerp.tools import misc, qweb
+from openerp.osv.orm import browse_record, browse_record_list
 
 _logger = logging.getLogger(__name__)
 
@@ -771,9 +769,20 @@ class view(osv.osv):
     def render(self, cr, uid, id_or_xml_id, values, context=None):
         if not context:
             context = {}
+
+        def check_user_access(values):
+            for key in values:
+                value =  isinstance(values, (dict,)) and values[key] or key
+                if isinstance(value, (browse_record,)):
+                    if value.__dict__.get('_uid') == openerp.SUPERUSER_ID and uid != openerp.SUPERUSER_ID:
+                        message = 'SUPERUSER_ID Access used for rendering "%s" in a xml view: %s' % (key, id_or_xml_id,)
+                        _logger.warn(message)
+                elif isinstance(value, (dict, list, browse_record_list,)):
+                    check_user_access(value)
+        check_user_access(values)
+
         def loader(name):
             return self.read_template(cr, uid, name, context=context)
-
         engine = qweb.QWebXml(loader=loader, undefined_handler=lambda key, v: None)
         return engine.render(id_or_xml_id, values)