From 3f7f2a51faa5659f5ae0d22ab722a15be076981e Mon Sep 17 00:00:00 2001 From: Denis Ledoux Date: Tue, 26 Aug 2014 15:35:47 +0200 Subject: [PATCH] [FIX] security: remove read access on company critical fields --- addons/auth_ldap/users_ldap.py | 2 +- addons/base_gengo/res_company.py | 8 ++++---- addons/pad/pad.py | 3 ++- addons/pad/res_company.py | 2 +- 4 files changed, 8 insertions(+), 7 deletions(-) diff --git a/addons/auth_ldap/users_ldap.py b/addons/auth_ldap/users_ldap.py index f6a5d5f25de..a09b6839ab9 100644 --- a/addons/auth_ldap/users_ldap.py +++ b/addons/auth_ldap/users_ldap.py @@ -238,7 +238,7 @@ class res_company(osv.osv): _inherit = "res.company" _columns = { 'ldaps': fields.one2many( - 'res.company.ldap', 'company', 'LDAP Parameters'), + 'res.company.ldap', 'company', 'LDAP Parameters', groups="base.group_system"), } res_company() diff --git a/addons/base_gengo/res_company.py b/addons/base_gengo/res_company.py index 3d038ac0813..448df8d558c 100644 --- a/addons/base_gengo/res_company.py +++ b/addons/base_gengo/res_company.py @@ -26,10 +26,10 @@ class res_company(osv.Model): _name = "res.company" _inherit = "res.company" _columns = { - "gengo_private_key": fields.text("Gengo Private Key"), - "gengo_public_key": fields.text("Gengo Public Key"), - "gengo_comment": fields.text("Comments", help="This comment will be automatically be enclosed in each an every request sent to Gengo"), - "gengo_auto_approve": fields.boolean("Auto Approve Translation ?", help="Jobs are Automatically Approved by Gengo."), + "gengo_private_key": fields.text("Gengo Private Key", groups="base.group_system"), + "gengo_public_key": fields.text("Gengo Public Key", groups="base.group_user"), + "gengo_comment": fields.text("Comments", help="This comment will be automatically be enclosed in each an every request sent to Gengo", groups="base.group_user"), + "gengo_auto_approve": fields.boolean("Auto Approve Translation ?", help="Jobs are Automatically Approved by Gengo.", groups="base.group_user"), } _defaults = { diff --git a/addons/pad/pad.py b/addons/pad/pad.py index 1379e06f184..b79d2f01ca8 100644 --- a/addons/pad/pad.py +++ b/addons/pad/pad.py @@ -5,6 +5,7 @@ import re import string import urllib2 import logging +from openerp import SUPERUSER_ID from openerp.tools.translate import _ from openerp.tools import html2plaintext from py_etherpad import EtherpadLiteClient @@ -19,7 +20,7 @@ class pad_common(osv.osv_memory): return bool(user.company_id.pad_server) def pad_generate_url(self, cr, uid, context=None): - company = self.pool.get('res.users').browse(cr, uid, uid, context=context).company_id; + company = self.pool.get('res.users').browse(cr, SUPERUSER_ID, uid, context=context).company_id pad = { "server" : company.pad_server, diff --git a/addons/pad/res_company.py b/addons/pad/res_company.py index 95f1d9c1118..02c034c3df6 100644 --- a/addons/pad/res_company.py +++ b/addons/pad/res_company.py @@ -5,7 +5,7 @@ class company_pad(osv.osv): _inherit = 'res.company' _columns = { 'pad_server': fields.char('Pad Server', help="Etherpad lite server. Example: beta.primarypad.com"), - 'pad_key': fields.char('Pad Api Key', help="Etherpad lite api key."), + 'pad_key': fields.char('Pad Api Key', help="Etherpad lite api key.", groups="base.group_system"), }