odoo
/
odoo
2
0
Fork 0
Code Pull Requests Releases Activity

[REM] tools.config, ir.actions.server: removed server_actions_allow_code option now that safe_eval is in place 

Also re-allowed server actions to return an "action" to execute, and replaced contexts passed to eval by copies to avoid one possible source of side-effects.

bzr revid: odo@openerp.com-20100921131437-sgdz6sk4lwdcc3ch
This commit is contained in:
Olivier Dony 2010-09-21 15:14:37 +02:00
parent 7acc3e30b4
commit 6af5da11d1
2 changed files with 47 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
bin/addons/base/ir/ir_actions.py
View File

@ -512,14 +512,21 @@ class actions_server(osv.osv):
return obj
def merge_message(self, cr, uid, keystr, action, context):
def merge_message(self, cr, uid, keystr, action, context=None):
if context is None:
context = {}
logger = netsvc.Logger()
def merge(match):
obj_pool = self.pool.get(action.model_id.model)
id = context.get('active_id')
obj = obj_pool.browse(cr, uid, id)
exp = str(match.group()[2:-2]).strip()
result = eval(exp, {'object':obj, 'context': context,'time':time})
result = eval(exp,
{
'object': obj,
'context': dict(context), # copy context to prevent side-effects of eval
'time': time,
})
if result in (None, False):
return str("--------")
return tools.ustr(result)
@ -536,13 +543,16 @@ class actions_server(osv.osv):
# False : Finnished correctly
# ACTION_ID : Action to launch
def run(self, cr, uid, ids, context={}):
# FIXME: refactor all the eval() calls in run()!
def run(self, cr, uid, ids, context=None):
logger = netsvc.Logger()
if context is None:
context = {}
for action in self.browse(cr, uid, ids, context):
obj_pool = self.pool.get(action.model_id.model)
obj = obj_pool.browse(cr, uid, context['active_id'], context=context)
cxt = {
'context':context,
'context': dict(context), # copy context to prevent side-effects of eval
'object': obj,
'time':time,
'cr': cr,
@ -560,26 +570,19 @@ class actions_server(osv.osv):
.read(cr, uid, action.action_id.id, context=context)
if action.state=='code':
if config['server_actions_allow_code']:
localdict = {
'self': self.pool.get(action.model_id.model),
'context': context,
'time': time,
'ids': ids,
'cr': cr,
'uid': uid,
'object':obj,
'obj': obj,
}
eval(action.code, localdict, mode="exec")
if 'action' in localdict:
return localdict['action']
else:
netsvc.Logger().notifyChannel(
self._name, netsvc.LOG_ERROR,
"%s is a `code` server action, but "
"it isn't allowed in this configuration.\n\n"
"See server options to enable it"%action)
localdict = {
'self': self.pool.get(action.model_id.model),
'context': dict(context), # copy context to prevent side-effects of eval
'time': time,
'ids': ids,
'cr': cr,
'uid': uid,
'object':obj,
'obj': obj,
}
eval(action.code, localdict, mode="exec", nocopy=True) # nocopy allows to return 'action'
if 'action' in localdict:
return localdict['action']
if action.state == 'email':
user = config['email_from']
@ -631,9 +634,9 @@ class actions_server(osv.osv):
obj_pool = self.pool.get(action.model_id.model)
obj = obj_pool.browse(cr, uid, context['active_id'], context=context)
cxt = {
'context':context,
'context': dict(context), # copy context to prevent side-effects of eval
'object': obj,
'time':time,
'time': time,
'cr': cr,
'pool' : self.pool,
'uid' : uid
@ -651,7 +654,11 @@ class actions_server(osv.osv):
if exp.type == 'equation':
obj_pool = self.pool.get(action.model_id.model)
obj = obj_pool.browse(cr, uid, context['active_id'], context=context)
cxt = {'context':context, 'object': obj, 'time':time}
cxt = {
'context': dict(context), # copy context to prevent side-effects of eval
'object': obj,
'time': time,
}
expr = eval(euq, cxt)
else:
expr = exp.value
@ -687,7 +694,12 @@ class actions_server(osv.osv):
if exp.type == 'equation':
obj_pool = self.pool.get(action.model_id.model)
obj = obj_pool.browse(cr, uid, context['active_id'], context=context)
expr = eval(euq, {'context':context, 'object': obj, 'time':time})
expr = eval(euq,
{
'context': dict(context), # copy context to prevent side-effects of eval
'object': obj,
'time': time,
})
else:
expr = exp.value
res[exp.col1.name] = expr
@ -706,7 +718,12 @@ class actions_server(osv.osv):
if exp.type == 'equation':
obj_pool = self.pool.get(action.model_id.model)
obj = obj_pool.browse(cr, uid, context['active_id'], context=context)
expr = eval(euq, {'context':context, 'object': obj, 'time':time})
expr = eval(euq,
{
'context': dict(context), # copy context to prevent side-effects of eval
'object': obj,
'time': time,
})
else:
expr = exp.value
res[exp.col1.name] = expr

5
bin/tools/config.py
View File

@ -221,9 +221,6 @@ class configmanager(object):
security = optparse.OptionGroup(parser, 'Security-related options')
security.add_option('--no-database-list', action="store_false", dest='list_db', help="disable the ability to return the list of databases")
security.add_option('--enable-code-actions', action='store_true',
dest='server_actions_allow_code', default=False,
help='Enables server actions of state "code". Warning, this is a security risk.')
parser.add_option_group(security)
def parse_config(self):
@ -287,7 +284,7 @@ class configmanager(object):
keys = [
'language', 'translate_out', 'translate_in', 'debug_mode', 'smtp_ssl',
'stop_after_init', 'logrotate', 'without_demo', 'netrpc', 'xmlrpc', 'syslog',
'list_db', 'server_actions_allow_code', 'xmlrpcs',
'list_db', 'xmlrpcs',
'test_file', 'test_disable', 'test_commit', 'test_report_directory'
]