[FIX] module: install_from_urls: restrict to administrators. Urls must come from apps server.
lp bug: https://launchpad.net/bugs/1129299 fixed bzr revid: chs@openerp.com-20130218175559-ygo0goytspg119bl
This commit is contained in:
parent
1a5b4160ef
commit
5032dad17d
|
@ -30,6 +30,7 @@ import shutil
|
|||
import tempfile
|
||||
import urllib
|
||||
import urllib2
|
||||
import urlparse
|
||||
import zipfile
|
||||
import zipimport
|
||||
|
||||
|
@ -39,6 +40,7 @@ except ImportError:
|
|||
from StringIO import StringIO # NOQA
|
||||
|
||||
import openerp
|
||||
import openerp.exceptions
|
||||
from openerp import modules, pooler, tools, addons
|
||||
from openerp.modules.db import create_categories
|
||||
from openerp.tools.parse_version import parse_version
|
||||
|
@ -655,6 +657,11 @@ class module(osv.osv):
|
|||
return res
|
||||
|
||||
def install_from_urls(self, cr, uid, urls, context=None):
|
||||
if not self.pool['res.users'].has_group(cr, uid, 'base.group_system'):
|
||||
raise openerp.exceptions.AccessDenied()
|
||||
|
||||
apps_server = urlparse.urlparse(self.get_apps_server(cr, uid, context=context))
|
||||
|
||||
OPENERP = 'openerp'
|
||||
tmp = tempfile.mkdtemp()
|
||||
_logger.debug('Install from url: %r', urls)
|
||||
|
@ -663,6 +670,11 @@ class module(osv.osv):
|
|||
for module_name, url in urls.items():
|
||||
if not url:
|
||||
continue # nothing to download, local version is already the last one
|
||||
|
||||
up = urlparse.urlparse(url)
|
||||
if up.scheme != apps_server.scheme or up.netloc != apps_server.netloc:
|
||||
raise openerp.exceptions.AccessDenied()
|
||||
|
||||
try:
|
||||
_logger.info('Downloading module `%s` from OpenERP Apps', module_name)
|
||||
content = urllib2.urlopen(url).read()
|
||||
|
@ -727,8 +739,8 @@ class module(osv.osv):
|
|||
finally:
|
||||
shutil.rmtree(tmp)
|
||||
|
||||
def install_by_names(self, cr, uid, names, context=None):
|
||||
raise NotImplementedError('# TODO')
|
||||
def get_apps_server(self, cr, uid, context=None):
|
||||
return tools.config.get('apps_server', 'https://apps.openerp.com/apps')
|
||||
|
||||
def _update_dependencies(self, cr, uid, mod_browse, depends=None):
|
||||
if depends is None:
|
||||
|
|
|
@ -62,8 +62,8 @@ openerp.base = function(instance) {
|
|||
if (instance.base.apps_client) {
|
||||
return check_client_available(instance.base.apps_client);
|
||||
} else {
|
||||
var ICP = new instance.web.Model('ir.config_parameter');
|
||||
return ICP.call('get_param', ['apps.server', 'https://apps.openerp.com/apps']).then(function(u) {
|
||||
var Mod = new instance.web.Model('ir.module.module');
|
||||
return Mod.call('get_apps_server').then(function(u) {
|
||||
var link = $(_.str.sprintf('<a href="%s"></a>', u))[0];
|
||||
var host = _.str.sprintf('%s//%s', link.protocol, link.host);
|
||||
var dbname = link.pathname;
|
||||
|
|
Loading…
Reference in New Issue