[IMP] ir_ui_view: improve security dev. Log a warning message if the browse record used in the views have a SUPERUSER access.
bzr revid: chm@openerp.com-20131008095805-8ek62kl4k0spw9b8
This commit is contained in:
parent
e5d67ad2e0
commit
1a0b74d033
|
@ -24,20 +24,18 @@ import logging
|
||||||
from lxml import etree
|
from lxml import etree
|
||||||
from operator import itemgetter
|
from operator import itemgetter
|
||||||
import os
|
import os
|
||||||
import sys
|
|
||||||
import re
|
|
||||||
import time
|
import time
|
||||||
|
|
||||||
import HTMLParser
|
import HTMLParser
|
||||||
from lxml import etree, html
|
|
||||||
from functools import partial
|
|
||||||
|
|
||||||
|
import openerp
|
||||||
from openerp import tools
|
from openerp import tools
|
||||||
from openerp.osv import fields, osv, orm
|
from openerp.osv import fields, osv, orm
|
||||||
from openerp.tools import graph, SKIPPED_ELEMENT_TYPES
|
from openerp.tools import graph, SKIPPED_ELEMENT_TYPES
|
||||||
from openerp.tools.safe_eval import safe_eval as eval
|
from openerp.tools.safe_eval import safe_eval as eval
|
||||||
from openerp.tools.view_validation import valid_view
|
from openerp.tools.view_validation import valid_view
|
||||||
from openerp.tools import misc, qweb
|
from openerp.tools import misc, qweb
|
||||||
|
from openerp.osv.orm import browse_record, browse_record_list
|
||||||
|
|
||||||
_logger = logging.getLogger(__name__)
|
_logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
@ -771,9 +769,20 @@ class view(osv.osv):
|
||||||
def render(self, cr, uid, id_or_xml_id, values, context=None):
|
def render(self, cr, uid, id_or_xml_id, values, context=None):
|
||||||
if not context:
|
if not context:
|
||||||
context = {}
|
context = {}
|
||||||
|
|
||||||
|
def check_user_access(values):
|
||||||
|
for key in values:
|
||||||
|
value = isinstance(values, (dict,)) and values[key] or key
|
||||||
|
if isinstance(value, (browse_record,)):
|
||||||
|
if value.__dict__.get('_uid') == openerp.SUPERUSER_ID and uid != openerp.SUPERUSER_ID:
|
||||||
|
message = 'SUPERUSER_ID Access used for rendering "%s" in a xml view: %s' % (key, id_or_xml_id,)
|
||||||
|
_logger.warn(message)
|
||||||
|
elif isinstance(value, (dict, list, browse_record_list,)):
|
||||||
|
check_user_access(value)
|
||||||
|
check_user_access(values)
|
||||||
|
|
||||||
def loader(name):
|
def loader(name):
|
||||||
return self.read_template(cr, uid, name, context=context)
|
return self.read_template(cr, uid, name, context=context)
|
||||||
|
|
||||||
engine = qweb.QWebXml(loader=loader, undefined_handler=lambda key, v: None)
|
engine = qweb.QWebXml(loader=loader, undefined_handler=lambda key, v: None)
|
||||||
return engine.render(id_or_xml_id, values)
|
return engine.render(id_or_xml_id, values)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue