[IMP] res_user: security check to prevent users from switching to a company they do not belong to (thanks to xrg for reporting)
bzr revid: odo@openerp.com-20100715165935-nlejai33n4m4o7ox
This commit is contained in:
parent
9b5f933b13
commit
314e1d8f46
|
@ -360,7 +360,9 @@ class users(osv.osv):
|
|||
if not (key in self.SELF_WRITEABLE_FIELDS or key.startswith('context_')):
|
||||
break
|
||||
else:
|
||||
uid = 1 # safe fields only, so we write as super-user
|
||||
# check that user is not selecting an invalid company_id
|
||||
if 'company_id' not in values or (values.get('company_id') in self.read(cr, uid, uid, ['company_ids'], context=context)['company_ids']):
|
||||
uid = 1 # safe fields only, so we write as super-user to bypass access rights
|
||||
|
||||
res = super(users, self).write(cr, uid, ids, values, context=context)
|
||||
|
||||
|
|
Loading…
Reference in New Issue