[IMP] security on messages

bzr revid: fp@tinyerp.com-20140125224001-9acot48dnowrrwnc
2014-01-25 23:40:01 +01:00 · 2014-01-25 23:40:01 +01:00 · 5dfef8dbc8
parent f65b9b1022
commit 5dfef8dbc8
2 changed files with 16 additions and 12 deletions
--- a/addons/website_quotation/controllers/main.py
+++ b/addons/website_quotation/controllers/main.py
@ -38,9 +38,12 @@ class sale_quote(http.Controller):
        # use SUPERUSER_ID allow to access/view order for public user
        # only if he knows the private token
        order = request.registry.get('sale.order').browse(request.cr, token and SUPERUSER_ID or request.uid, order_id)
+        now = time.strftime('%Y-%m-%d')
        if token:
            assert token == order.access_token, 'Access denied!'
-            if not message:
+            # Log only once a day
+            if request.httprequest.session.get('view_quote',False)!=now:
+                request.httprequest.session['view_quote'] = now
                body=_('Quotation viewed by customer')
                self.__message_post(body, order_id, type='comment')
        days = 0
@ -50,7 +53,7 @@ class sale_quote(http.Controller):
            'quotation': order,
            'message': message and int(message) or False,
            'option': bool(filter(lambda x: not x.line_id, order.options)),
-            'order_valid': (not order.validity_date) or (datetime.datetime.now().strftime('%Y-%m-%d') <= order.validity_date),
+            'order_valid': (not order.validity_date) or (now <= order.validity_date),
            'days_valid': max(days, 0)
        }
        return request.website.render('website_quotation.so_quotation', values)
--- a/addons/website_quotation/views/website_quotation.xml
+++ b/addons/website_quotation/views/website_quotation.xml
@ -113,17 +113,19 @@
  <template id="chatter">
      <h1 class="page-header hidden-print">History</h1>
      <ul class="media-list hidden-print" id="comments-list">
-          <li t-foreach="quotation.message_ids" t-as="message" class="media">
-              <div class="media-body">
-                  <img class="media-object pull-left" t-att-src="'/website/image?model=res.partner&amp;field=image_small&amp;id='+str(message.author_id.id)" style="width: 50px; margin-right: 10px;"/>
+          <t t-foreach="quotation.message_ids" t-as="message">
+              <li class="media" t-if="message.type &lt;&gt; 'comment' or message.subtype_id">
                  <div class="media-body">
-                      <h5 class="media-heading">
-                          <span t-field="message.author_id"/> <small>on <span t-field="message.date"/></small>
-                      </h5>
-                      <div t-field="message.body"/>
+                      <img class="media-object pull-left" t-att-src="'/website/image?model=res.partner&amp;field=image_small&amp;id='+str(message.author_id.id)" style="width: 50px; margin-right: 10px;"/>
+                      <div class="media-body">
+                          <h5 class="media-heading">
+                              <span t-field="message.author_id"/> <small>on <span t-field="message.date"/></small>
+                          </h5>
+                          <div t-field="message.body"/>
+                      </div>
                  </div>
-              </div>
-          </li>
+              </li>
+          </t>
      </ul>
  </template>

@ -219,7 +221,6 @@
                      </div>
                  </div>
                  <div class="col-md-9">
-                      <p>Message <t t-esc="message"/></p>
                      <div class="alert alert-success alert-dismissable" t-if="message==1">
                          <button type="button" class="close" data-dismiss="alert" aria-hidden="true">&amp;times;</button>
                          Your message has been successfully sent!