[FIX] module: install_from_urls: restrict to administrators. Urls must come from apps server.

lp bug: https://launchpad.net/bugs/1129299 fixed bzr revid: chs@openerp.com-20130218175559-ygo0goytspg119bl
2013-02-18 18:55:59 +01:00 · 2013-02-18 18:55:59 +01:00 · 5032dad17d
parent 1a5b4160ef
commit 5032dad17d
2 changed files with 16 additions and 4 deletions
--- a/openerp/addons/base/module/module.py
+++ b/openerp/addons/base/module/module.py
@ -30,6 +30,7 @@ import shutil
 import tempfile
 import urllib
 import urllib2
+import urlparse
 import zipfile
 import zipimport

@ -39,6 +40,7 @@ except ImportError:
    from StringIO import StringIO   # NOQA

 import openerp
+import openerp.exceptions
 from openerp import modules, pooler, tools, addons
 from openerp.modules.db import create_categories
 from openerp.tools.parse_version import parse_version
@ -655,6 +657,11 @@ class module(osv.osv):
        return res

    def install_from_urls(self, cr, uid, urls, context=None):
+        if not self.pool['res.users'].has_group(cr, uid, 'base.group_system'):
+            raise openerp.exceptions.AccessDenied()
+
+        apps_server = urlparse.urlparse(self.get_apps_server(cr, uid, context=context))
+
        OPENERP = 'openerp'
        tmp = tempfile.mkdtemp()
        _logger.debug('Install from url: %r', urls)
@ -663,6 +670,11 @@ class module(osv.osv):
            for module_name, url in urls.items():
                if not url:
                    continue    # nothing to download, local version is already the last one
+
+                up = urlparse.urlparse(url)
+                if up.scheme != apps_server.scheme or up.netloc != apps_server.netloc:
+                    raise openerp.exceptions.AccessDenied()
+
                try:
                    _logger.info('Downloading module `%s` from OpenERP Apps', module_name)
                    content = urllib2.urlopen(url).read()
@ -727,8 +739,8 @@ class module(osv.osv):
        finally:
            shutil.rmtree(tmp)

-    def install_by_names(self, cr, uid, names, context=None):
-        raise NotImplementedError('# TODO')
+    def get_apps_server(self, cr, uid, context=None):
+        return tools.config.get('apps_server', 'https://apps.openerp.com/apps')

    def _update_dependencies(self, cr, uid, mod_browse, depends=None):
        if depends is None:
--- a/openerp/addons/base/static/src/js/apps.js
+++ b/openerp/addons/base/static/src/js/apps.js
@ -62,8 +62,8 @@ openerp.base = function(instance) {
            if (instance.base.apps_client) {
                return check_client_available(instance.base.apps_client);
            } else {
-                var ICP = new instance.web.Model('ir.config_parameter');
-                return ICP.call('get_param', ['apps.server', 'https://apps.openerp.com/apps']).then(function(u) {
+                var Mod = new instance.web.Model('ir.module.module');
+                return Mod.call('get_apps_server').then(function(u) {
                    var link = $(_.str.sprintf('<a href="%s"></a>', u))[0];
                    var host = _.str.sprintf('%s//%s', link.protocol, link.host);
                    var dbname = link.pathname;