odoo
/
odoo
2
0
Fork 0
Code Pull Requests Releases Activity

[IMP] In server-side web framework, change auth="db" to auth="admin", with some difference in semantic 

bzr revid: nicolas.vanhoren@openerp.com-20130710145451-56ui50mga78eq10v
This commit is contained in:
niv-openerp 2013-07-10 16:54:51 +02:00
parent 9e2c08219d
commit 57d18c1a34
2 changed files with 16 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
addons/web/doc/web_controllers.rst
View File

@ -134,18 +134,25 @@ argument of every model method in OpenERP.
Authorization Levels Authorization Levels
-------------------- --------------------
By default, all methods can only be used by users logged into OpenERP (OpenERP uses cookies to track logged users). By default, all access to the models will use the rights of the currently logged in user (OpenERP uses cookies to track
There are some cases when you need to enable not-logged in users to access some methods. To do so, add the ``'db'`` logged users). It is also impossible to reach an URL without being logged (the user's browser will receive an HTTP
value to the ``auth`` parameter of ``http.route()``: error).
There are some cases when the current user is not relevant, and we just want to give access to anyone to an URL. A
typical example is be the generation of a home page for a website. The home page should be visible by anyone, whether
they have an account or not. To do so, add the ``'admin'`` value to the ``auth`` parameter of ``http.route()``:
:: ::
@http.route('/hello', type="http", auth="db") @http.route('/hello', type="http", auth="admin")
def hello(self): def hello(self):
return "<div>Hello unknown user!</div>" return "<div>Hello unknown user!</div>"
Please note the ``request.uid`` user id will be ``None`` inside this method call. This is due to the fact no user was When using the ``admin`` authentication the access to the OpenERP models will be performed with the ``Administrator``
authenticated. user and ``request.uid`` will be equal to ``openerp.SUPERUSER_ID`` (the id of the administrator).
It is important to note that when using the ``Administrator`` user all security is bypassed. So the programmers
implementing such methods should take great care of not creating security issues in the application.
Overriding Controllers Overriding Controllers
---------------------- ----------------------

6
addons/web/http.py
View File

@ -156,11 +156,11 @@ class WebRequest(object):
if self.auth_method == "none": if self.auth_method == "none":
self.db = None self.db = None
self.uid = None self.uid = None
elif self.auth_method == "db": elif self.auth_method == "admin":
self.db = self.session._db or db_monodb() self.db = self.session._db or db_monodb()
if not self.db: if not self.db:
raise SessionExpiredException("No valid database for request %s" % self.httprequest) raise SessionExpiredException("No valid database for request %s" % self.httprequest)
self.uid = None self.uid = openerp.SUPERUSER_ID
else: # auth else: # auth
try: try:
self.session.check_security() self.session.check_security()
@ -235,7 +235,7 @@ def route(route, type="http", auth="user"):
authentication modules. authentication modules.
""" """
assert type in ["http", "json"] assert type in ["http", "json"]
assert auth in ["user", "db", "none"] assert auth in ["user", "admin", "none"]
def decorator(f): def decorator(f):
if isinstance(route, list): if isinstance(route, list):
f.routes = route f.routes = route