[IMP] security on messages
bzr revid: fp@tinyerp.com-20140125224001-9acot48dnowrrwnc
This commit is contained in:
parent
f65b9b1022
commit
5dfef8dbc8
|
@ -38,9 +38,12 @@ class sale_quote(http.Controller):
|
|||
# use SUPERUSER_ID allow to access/view order for public user
|
||||
# only if he knows the private token
|
||||
order = request.registry.get('sale.order').browse(request.cr, token and SUPERUSER_ID or request.uid, order_id)
|
||||
now = time.strftime('%Y-%m-%d')
|
||||
if token:
|
||||
assert token == order.access_token, 'Access denied!'
|
||||
if not message:
|
||||
# Log only once a day
|
||||
if request.httprequest.session.get('view_quote',False)!=now:
|
||||
request.httprequest.session['view_quote'] = now
|
||||
body=_('Quotation viewed by customer')
|
||||
self.__message_post(body, order_id, type='comment')
|
||||
days = 0
|
||||
|
@ -50,7 +53,7 @@ class sale_quote(http.Controller):
|
|||
'quotation': order,
|
||||
'message': message and int(message) or False,
|
||||
'option': bool(filter(lambda x: not x.line_id, order.options)),
|
||||
'order_valid': (not order.validity_date) or (datetime.datetime.now().strftime('%Y-%m-%d') <= order.validity_date),
|
||||
'order_valid': (not order.validity_date) or (now <= order.validity_date),
|
||||
'days_valid': max(days, 0)
|
||||
}
|
||||
return request.website.render('website_quotation.so_quotation', values)
|
||||
|
|
|
@ -113,17 +113,19 @@
|
|||
<template id="chatter">
|
||||
<h1 class="page-header hidden-print">History</h1>
|
||||
<ul class="media-list hidden-print" id="comments-list">
|
||||
<li t-foreach="quotation.message_ids" t-as="message" class="media">
|
||||
<div class="media-body">
|
||||
<img class="media-object pull-left" t-att-src="'/website/image?model=res.partner&field=image_small&id='+str(message.author_id.id)" style="width: 50px; margin-right: 10px;"/>
|
||||
<t t-foreach="quotation.message_ids" t-as="message">
|
||||
<li class="media" t-if="message.type <> 'comment' or message.subtype_id">
|
||||
<div class="media-body">
|
||||
<h5 class="media-heading">
|
||||
<span t-field="message.author_id"/> <small>on <span t-field="message.date"/></small>
|
||||
</h5>
|
||||
<div t-field="message.body"/>
|
||||
<img class="media-object pull-left" t-att-src="'/website/image?model=res.partner&field=image_small&id='+str(message.author_id.id)" style="width: 50px; margin-right: 10px;"/>
|
||||
<div class="media-body">
|
||||
<h5 class="media-heading">
|
||||
<span t-field="message.author_id"/> <small>on <span t-field="message.date"/></small>
|
||||
</h5>
|
||||
<div t-field="message.body"/>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</li>
|
||||
</li>
|
||||
</t>
|
||||
</ul>
|
||||
</template>
|
||||
|
||||
|
@ -219,7 +221,6 @@
|
|||
</div>
|
||||
</div>
|
||||
<div class="col-md-9">
|
||||
<p>Message <t t-esc="message"/></p>
|
||||
<div class="alert alert-success alert-dismissable" t-if="message==1">
|
||||
<button type="button" class="close" data-dismiss="alert" aria-hidden="true">&times;</button>
|
||||
Your message has been successfully sent!
|
||||
|
|
Loading…
Reference in New Issue