[REM] tools.config, ir.actions.server: removed server_actions_allow_code option now that safe_eval is in place
Also re-allowed server actions to return an "action" to execute, and replaced contexts passed to eval by copies to avoid one possible source of side-effects. bzr revid: odo@openerp.com-20100921131437-sgdz6sk4lwdcc3ch
This commit is contained in:
parent
7acc3e30b4
commit
6af5da11d1
|
@ -512,14 +512,21 @@ class actions_server(osv.osv):
|
||||||
|
|
||||||
return obj
|
return obj
|
||||||
|
|
||||||
def merge_message(self, cr, uid, keystr, action, context):
|
def merge_message(self, cr, uid, keystr, action, context=None):
|
||||||
|
if context is None:
|
||||||
|
context = {}
|
||||||
logger = netsvc.Logger()
|
logger = netsvc.Logger()
|
||||||
def merge(match):
|
def merge(match):
|
||||||
obj_pool = self.pool.get(action.model_id.model)
|
obj_pool = self.pool.get(action.model_id.model)
|
||||||
id = context.get('active_id')
|
id = context.get('active_id')
|
||||||
obj = obj_pool.browse(cr, uid, id)
|
obj = obj_pool.browse(cr, uid, id)
|
||||||
exp = str(match.group()[2:-2]).strip()
|
exp = str(match.group()[2:-2]).strip()
|
||||||
result = eval(exp, {'object':obj, 'context': context,'time':time})
|
result = eval(exp,
|
||||||
|
{
|
||||||
|
'object': obj,
|
||||||
|
'context': dict(context), # copy context to prevent side-effects of eval
|
||||||
|
'time': time,
|
||||||
|
})
|
||||||
if result in (None, False):
|
if result in (None, False):
|
||||||
return str("--------")
|
return str("--------")
|
||||||
return tools.ustr(result)
|
return tools.ustr(result)
|
||||||
|
@ -536,13 +543,16 @@ class actions_server(osv.osv):
|
||||||
# False : Finnished correctly
|
# False : Finnished correctly
|
||||||
# ACTION_ID : Action to launch
|
# ACTION_ID : Action to launch
|
||||||
|
|
||||||
def run(self, cr, uid, ids, context={}):
|
# FIXME: refactor all the eval() calls in run()!
|
||||||
|
def run(self, cr, uid, ids, context=None):
|
||||||
logger = netsvc.Logger()
|
logger = netsvc.Logger()
|
||||||
|
if context is None:
|
||||||
|
context = {}
|
||||||
for action in self.browse(cr, uid, ids, context):
|
for action in self.browse(cr, uid, ids, context):
|
||||||
obj_pool = self.pool.get(action.model_id.model)
|
obj_pool = self.pool.get(action.model_id.model)
|
||||||
obj = obj_pool.browse(cr, uid, context['active_id'], context=context)
|
obj = obj_pool.browse(cr, uid, context['active_id'], context=context)
|
||||||
cxt = {
|
cxt = {
|
||||||
'context':context,
|
'context': dict(context), # copy context to prevent side-effects of eval
|
||||||
'object': obj,
|
'object': obj,
|
||||||
'time':time,
|
'time':time,
|
||||||
'cr': cr,
|
'cr': cr,
|
||||||
|
@ -560,26 +570,19 @@ class actions_server(osv.osv):
|
||||||
.read(cr, uid, action.action_id.id, context=context)
|
.read(cr, uid, action.action_id.id, context=context)
|
||||||
|
|
||||||
if action.state=='code':
|
if action.state=='code':
|
||||||
if config['server_actions_allow_code']:
|
localdict = {
|
||||||
localdict = {
|
'self': self.pool.get(action.model_id.model),
|
||||||
'self': self.pool.get(action.model_id.model),
|
'context': dict(context), # copy context to prevent side-effects of eval
|
||||||
'context': context,
|
'time': time,
|
||||||
'time': time,
|
'ids': ids,
|
||||||
'ids': ids,
|
'cr': cr,
|
||||||
'cr': cr,
|
'uid': uid,
|
||||||
'uid': uid,
|
'object':obj,
|
||||||
'object':obj,
|
'obj': obj,
|
||||||
'obj': obj,
|
}
|
||||||
}
|
eval(action.code, localdict, mode="exec", nocopy=True) # nocopy allows to return 'action'
|
||||||
eval(action.code, localdict, mode="exec")
|
if 'action' in localdict:
|
||||||
if 'action' in localdict:
|
return localdict['action']
|
||||||
return localdict['action']
|
|
||||||
else:
|
|
||||||
netsvc.Logger().notifyChannel(
|
|
||||||
self._name, netsvc.LOG_ERROR,
|
|
||||||
"%s is a `code` server action, but "
|
|
||||||
"it isn't allowed in this configuration.\n\n"
|
|
||||||
"See server options to enable it"%action)
|
|
||||||
|
|
||||||
if action.state == 'email':
|
if action.state == 'email':
|
||||||
user = config['email_from']
|
user = config['email_from']
|
||||||
|
@ -631,9 +634,9 @@ class actions_server(osv.osv):
|
||||||
obj_pool = self.pool.get(action.model_id.model)
|
obj_pool = self.pool.get(action.model_id.model)
|
||||||
obj = obj_pool.browse(cr, uid, context['active_id'], context=context)
|
obj = obj_pool.browse(cr, uid, context['active_id'], context=context)
|
||||||
cxt = {
|
cxt = {
|
||||||
'context':context,
|
'context': dict(context), # copy context to prevent side-effects of eval
|
||||||
'object': obj,
|
'object': obj,
|
||||||
'time':time,
|
'time': time,
|
||||||
'cr': cr,
|
'cr': cr,
|
||||||
'pool' : self.pool,
|
'pool' : self.pool,
|
||||||
'uid' : uid
|
'uid' : uid
|
||||||
|
@ -651,7 +654,11 @@ class actions_server(osv.osv):
|
||||||
if exp.type == 'equation':
|
if exp.type == 'equation':
|
||||||
obj_pool = self.pool.get(action.model_id.model)
|
obj_pool = self.pool.get(action.model_id.model)
|
||||||
obj = obj_pool.browse(cr, uid, context['active_id'], context=context)
|
obj = obj_pool.browse(cr, uid, context['active_id'], context=context)
|
||||||
cxt = {'context':context, 'object': obj, 'time':time}
|
cxt = {
|
||||||
|
'context': dict(context), # copy context to prevent side-effects of eval
|
||||||
|
'object': obj,
|
||||||
|
'time': time,
|
||||||
|
}
|
||||||
expr = eval(euq, cxt)
|
expr = eval(euq, cxt)
|
||||||
else:
|
else:
|
||||||
expr = exp.value
|
expr = exp.value
|
||||||
|
@ -687,7 +694,12 @@ class actions_server(osv.osv):
|
||||||
if exp.type == 'equation':
|
if exp.type == 'equation':
|
||||||
obj_pool = self.pool.get(action.model_id.model)
|
obj_pool = self.pool.get(action.model_id.model)
|
||||||
obj = obj_pool.browse(cr, uid, context['active_id'], context=context)
|
obj = obj_pool.browse(cr, uid, context['active_id'], context=context)
|
||||||
expr = eval(euq, {'context':context, 'object': obj, 'time':time})
|
expr = eval(euq,
|
||||||
|
{
|
||||||
|
'context': dict(context), # copy context to prevent side-effects of eval
|
||||||
|
'object': obj,
|
||||||
|
'time': time,
|
||||||
|
})
|
||||||
else:
|
else:
|
||||||
expr = exp.value
|
expr = exp.value
|
||||||
res[exp.col1.name] = expr
|
res[exp.col1.name] = expr
|
||||||
|
@ -706,7 +718,12 @@ class actions_server(osv.osv):
|
||||||
if exp.type == 'equation':
|
if exp.type == 'equation':
|
||||||
obj_pool = self.pool.get(action.model_id.model)
|
obj_pool = self.pool.get(action.model_id.model)
|
||||||
obj = obj_pool.browse(cr, uid, context['active_id'], context=context)
|
obj = obj_pool.browse(cr, uid, context['active_id'], context=context)
|
||||||
expr = eval(euq, {'context':context, 'object': obj, 'time':time})
|
expr = eval(euq,
|
||||||
|
{
|
||||||
|
'context': dict(context), # copy context to prevent side-effects of eval
|
||||||
|
'object': obj,
|
||||||
|
'time': time,
|
||||||
|
})
|
||||||
else:
|
else:
|
||||||
expr = exp.value
|
expr = exp.value
|
||||||
res[exp.col1.name] = expr
|
res[exp.col1.name] = expr
|
||||||
|
|
|
@ -221,9 +221,6 @@ class configmanager(object):
|
||||||
|
|
||||||
security = optparse.OptionGroup(parser, 'Security-related options')
|
security = optparse.OptionGroup(parser, 'Security-related options')
|
||||||
security.add_option('--no-database-list', action="store_false", dest='list_db', help="disable the ability to return the list of databases")
|
security.add_option('--no-database-list', action="store_false", dest='list_db', help="disable the ability to return the list of databases")
|
||||||
security.add_option('--enable-code-actions', action='store_true',
|
|
||||||
dest='server_actions_allow_code', default=False,
|
|
||||||
help='Enables server actions of state "code". Warning, this is a security risk.')
|
|
||||||
parser.add_option_group(security)
|
parser.add_option_group(security)
|
||||||
|
|
||||||
def parse_config(self):
|
def parse_config(self):
|
||||||
|
@ -287,7 +284,7 @@ class configmanager(object):
|
||||||
keys = [
|
keys = [
|
||||||
'language', 'translate_out', 'translate_in', 'debug_mode', 'smtp_ssl',
|
'language', 'translate_out', 'translate_in', 'debug_mode', 'smtp_ssl',
|
||||||
'stop_after_init', 'logrotate', 'without_demo', 'netrpc', 'xmlrpc', 'syslog',
|
'stop_after_init', 'logrotate', 'without_demo', 'netrpc', 'xmlrpc', 'syslog',
|
||||||
'list_db', 'server_actions_allow_code', 'xmlrpcs',
|
'list_db', 'xmlrpcs',
|
||||||
'test_file', 'test_disable', 'test_commit', 'test_report_directory'
|
'test_file', 'test_disable', 'test_commit', 'test_report_directory'
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue