[IMP] res_user: security check to prevent users from switching to a company they do not belong to (thanks to xrg for reporting)

bzr revid: odo@openerp.com-20100715165935-nlejai33n4m4o7ox
2010-07-15 18:59:35 +02:00 · 2010-07-15 18:59:35 +02:00 · 314e1d8f46
parent 9b5f933b13
commit 314e1d8f46
1 changed files with 3 additions and 1 deletions
--- a/bin/addons/base/res/res_user.py
+++ b/bin/addons/base/res/res_user.py
@ -360,7 +360,9 @@ class users(osv.osv):
                if not (key in self.SELF_WRITEABLE_FIELDS or key.startswith('context_')):
                    break
            else:
-                uid = 1 # safe fields only, so we write as super-user
+                # check that user is not selecting an invalid company_id
+                if 'company_id' not in values or (values.get('company_id') in self.read(cr, uid, uid, ['company_ids'], context=context)['company_ids']):
+                    uid = 1 # safe fields only, so we write as super-user to bypass access rights

        res = super(users, self).write(cr, uid, ids, values, context=context)