[FIX] some security issues
bzr revid: abo@openerp.com-20120928163956-3qytfhh1t03xaa1x
This commit is contained in:
parent
7300ba62fe
commit
adf470bc88
|
@ -195,11 +195,11 @@ class res_company(osv.osv):
|
|||
]
|
||||
|
||||
ids = proxy.search(cr, uid, args, context=context)
|
||||
user = self.pool.get('res.users').read(cr, uid, [uid], ['company_id'], context=context)[0]
|
||||
user = self.pool.get('res.users').browse(cr, SUPERUSER_ID, [uid], ['company_id'], context=context)[0]
|
||||
for rule in proxy.browse(cr, uid, ids, context):
|
||||
if eval(rule.expression, {'context': context, 'user': user}):
|
||||
return rule.company_dest_id.id
|
||||
return user['company_id'][0]
|
||||
return user.company_id.id
|
||||
|
||||
@tools.ormcache()
|
||||
def _get_company_children(self, cr, uid=None, company=None):
|
||||
|
|
|
@ -264,7 +264,7 @@ class res_users(osv.osv):
|
|||
# User can write on a few of his own fields (but not his groups for example)
|
||||
SELF_WRITEABLE_FIELDS = ['password', 'signature', 'action_id', 'company_id', 'email', 'name', 'image', 'image_medium', 'image_small', 'lang', 'tz']
|
||||
# User can read a few of his own fields
|
||||
SELF_READABLE_FIELDS = ['signature', 'company_id', 'login', 'email', 'name', 'image', 'image_medium', 'image_small', 'lang', 'tz', 'groups_id', 'partner_id']
|
||||
SELF_READABLE_FIELDS = ['signature', 'company_id', 'login', 'email', 'name', 'image', 'image_medium', 'image_small', 'lang', 'tz', 'groups_id', 'partner_id', '__last_update']
|
||||
|
||||
def read(self, cr, uid, ids, fields=None, context=None, load='_classic_read'):
|
||||
def override_password(o):
|
||||
|
@ -272,9 +272,9 @@ class res_users(osv.osv):
|
|||
o['password'] = '********'
|
||||
return o
|
||||
|
||||
if (isinstance(ids, (list, tuple)) and ids == [uid]) or ids == uid:
|
||||
if fields and (ids == [uid] or ids == uid):
|
||||
for key in fields:
|
||||
if not (key in self.SELF_READABLE_FIELDS or key.startswith('context_') or key in ['__last_update']):
|
||||
if not (key in self.SELF_READABLE_FIELDS or key.startswith('context_')):
|
||||
break
|
||||
else:
|
||||
# safe fields only, so we read as super-user to bypass access rights
|
||||
|
|
Loading…
Reference in New Issue