[IMP] In server-side web framework, change auth="db" to auth="admin", with some difference in semantic

bzr revid: nicolas.vanhoren@openerp.com-20130710145451-56ui50mga78eq10v
2013-07-10 16:54:51 +02:00 · 2013-07-10 16:54:51 +02:00 · 57d18c1a34
parent 9e2c08219d
commit 57d18c1a34
2 changed files with 16 additions and 9 deletions
--- a/addons/web/doc/web_controllers.rst
+++ b/addons/web/doc/web_controllers.rst
@ -134,18 +134,25 @@ argument of every model method in OpenERP.
 Authorization Levels
 --------------------

-By default, all methods can only be used by users logged into OpenERP (OpenERP uses cookies to track logged users).
-There are some cases when you need to enable not-logged in users to access some methods. To do so, add the ``'db'``
-value to the ``auth`` parameter of ``http.route()``:
+By default, all access to the models will use the rights of the currently logged in user (OpenERP uses cookies to track
+logged users). It is also impossible to reach an URL without being logged (the user's browser will receive an HTTP
+error).
+
+There are some cases when the current user is not relevant, and we just want to give access to anyone to an URL. A
+typical example is be the generation of a home page for a website. The home page should be visible by anyone, whether
+they have an account or not. To do so, add the ``'admin'`` value to the ``auth`` parameter of ``http.route()``:

 ::

-    @http.route('/hello', type="http", auth="db")
+    @http.route('/hello', type="http", auth="admin")
    def hello(self):
        return "<div>Hello unknown user!</div>"

-Please note the ``request.uid`` user id will be ``None`` inside this method call. This is due to the fact no user was
-authenticated.
+When using the ``admin`` authentication the access to the OpenERP models will be performed with the ``Administrator``
+user and ``request.uid`` will be equal to ``openerp.SUPERUSER_ID`` (the id of the administrator).
+
+It is important to note that when using the ``Administrator`` user all security is bypassed. So the programmers
+implementing such methods should take great care of not creating security issues in the application.

 Overriding Controllers
 ----------------------
--- a/addons/web/http.py
+++ b/addons/web/http.py
@ -156,11 +156,11 @@ class WebRequest(object):
        if self.auth_method == "none":
            self.db = None
            self.uid = None
-        elif self.auth_method == "db":
+        elif self.auth_method == "admin":
            self.db = self.session._db or db_monodb()
            if not self.db:
                raise SessionExpiredException("No valid database for request %s" % self.httprequest)
-            self.uid = None
+            self.uid = openerp.SUPERUSER_ID
        else: # auth
            try:
                self.session.check_security()
@ -235,7 +235,7 @@ def route(route, type="http", auth="user"):
        authentication modules.
    """
    assert type in ["http", "json"]
-    assert auth in ["user", "db", "none"]
+    assert auth in ["user", "admin", "none"]
    def decorator(f):
        if isinstance(route, list):
            f.routes = route