From ddc78626e16025bbe40e9bfac412f61f781176e2 Mon Sep 17 00:00:00 2001 From: Olivier Dony Date: Fri, 12 Sep 2014 17:51:56 +0200 Subject: [PATCH 1/3] [IMP] ir.model:.fields allow setting ondelete=restrict foncustom fields --- openerp/addons/base/ir/ir_model.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/openerp/addons/base/ir/ir_model.py b/openerp/addons/base/ir/ir_model.py index c8c7b77c441..25529d648d1 100644 --- a/openerp/addons/base/ir/ir_model.py +++ b/openerp/addons/base/ir/ir_model.py @@ -244,7 +244,8 @@ class ir_model_fields(osv.osv): 'translate': fields.boolean('Translatable', help="Whether values for this field can be translated (enables the translation mechanism for that field)"), 'size': fields.integer('Size'), 'state': fields.selection([('manual','Custom Field'),('base','Base Field')],'Type', required=True, readonly=True, select=1), - 'on_delete': fields.selection([('cascade','Cascade'),('set null','Set NULL')], 'On Delete', help='On delete property for many2one fields'), + 'on_delete': fields.selection([('cascade', 'Cascade'), ('set null', 'Set NULL'), ('restrict', 'Restrict')], + 'On Delete', help='On delete property for many2one fields'), 'domain': fields.char('Domain', help="The optional domain to restrict possible values for relationship fields, " "specified as a Python expression defining a list of triplets. " "For example: [('color','=','red')]"), From b601015800ba2ec28fdd064eb560349b51149936 Mon Sep 17 00:00:00 2001 From: Denis Ledoux Date: Mon, 15 Sep 2014 11:55:53 +0200 Subject: [PATCH 2/3] [FIX] tools: restrict available attributes --- openerp/tools/safe_eval.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/openerp/tools/safe_eval.py b/openerp/tools/safe_eval.py index 0b9b2e7a8a3..c317c9bea88 100644 --- a/openerp/tools/safe_eval.py +++ b/openerp/tools/safe_eval.py @@ -42,6 +42,9 @@ __all__ = ['test_expr', 'safe_eval', 'const_eval'] # lp:703841), does import time. _ALLOWED_MODULES = ['_strptime', 'time'] +_UNSAFE_ATTRIBUTES = ['f_builtins', 'f_globals', 'f_locals', 'gi_frame', + 'co_code', 'func_globals'] + _CONST_OPCODES = set(opmap[x] for x in [ 'POP_TOP', 'ROT_TWO', 'ROT_THREE', 'ROT_FOUR', 'DUP_TOP', 'DUP_TOPX', 'POP_BLOCK','SETUP_LOOP', 'BUILD_LIST', 'BUILD_MAP', 'BUILD_TUPLE', @@ -113,7 +116,7 @@ def assert_no_dunder_name(code_obj, expr): .. note:: actually forbids every name containing 2 underscores """ for name in code_obj.co_names: - if "__" in name: + if "__" in name or name in _UNSAFE_ATTRIBUTES: raise NameError('Access to forbidden name %r (%r)' % (name, expr)) def assert_valid_codeobj(allowed_codes, code_obj, expr): From 42680c9906125a034c2df2d1dd106b00212a27fc Mon Sep 17 00:00:00 2001 From: Denis Ledoux Date: Mon, 7 Apr 2014 10:24:45 +0200 Subject: [PATCH 3/3] [FIX] web: backport of ebb826a and 2372d30 Fixing breadcrumb not being displayed after some action button (e.g. validate invoice, opw 612763) --- addons/web/controllers/main.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/addons/web/controllers/main.py b/addons/web/controllers/main.py index 6bfc249cc9a..6206d1fa4d4 100644 --- a/addons/web/controllers/main.py +++ b/addons/web/controllers/main.py @@ -1109,11 +1109,14 @@ class DataSet(openerpweb.Controller): def _call_kw(self, req, model, method, args, kwargs): # Temporary implements future display_name special field for model#read() - if method == 'read' and kwargs.get('context', {}).get('future_display_name'): + if method in ('read', 'search_read') and kwargs.get('context', {}).get('future_display_name'): if 'display_name' in args[1]: - names = dict(req.session.model(model).name_get(args[0], **kwargs)) + if method == 'read': + names = dict(req.session.model(model).name_get(args[0], **kwargs)) + else: + names = dict(req.session.model(model).name_search('', args[0], **kwargs)) args[1].remove('display_name') - records = req.session.model(model).read(*args, **kwargs) + records = getattr(req.session.model(model), method)(*args, **kwargs) for record in records: record['display_name'] = \ names.get(record['id']) or "%s#%d" % (model, (record['id']))