[FIX] some security issues

bzr revid: abo@openerp.com-20120928163956-3qytfhh1t03xaa1x
2012-09-28 18:39:56 +02:00 · 2012-09-28 18:39:56 +02:00 · adf470bc88
parent 7300ba62fe
commit adf470bc88
2 changed files with 5 additions and 5 deletions
--- a/openerp/addons/base/res/res_company.py
+++ b/openerp/addons/base/res/res_company.py
@ -195,11 +195,11 @@ class res_company(osv.osv):
        ]

        ids = proxy.search(cr, uid, args, context=context)
-        user = self.pool.get('res.users').read(cr, uid, [uid], ['company_id'], context=context)[0]
+        user = self.pool.get('res.users').browse(cr, SUPERUSER_ID, [uid], ['company_id'], context=context)[0]
        for rule in proxy.browse(cr, uid, ids, context):
            if eval(rule.expression, {'context': context, 'user': user}):
                return rule.company_dest_id.id
-        return user['company_id'][0]
+        return user.company_id.id

    @tools.ormcache()
    def _get_company_children(self, cr, uid=None, company=None):
--- a/openerp/addons/base/res/res_users.py
+++ b/openerp/addons/base/res/res_users.py
@ -264,7 +264,7 @@ class res_users(osv.osv):
    # User can write on a few of his own fields (but not his groups for example)
    SELF_WRITEABLE_FIELDS = ['password', 'signature', 'action_id', 'company_id', 'email', 'name', 'image', 'image_medium', 'image_small', 'lang', 'tz']
    # User can read a few of his own fields
-    SELF_READABLE_FIELDS = ['signature', 'company_id', 'login', 'email', 'name', 'image', 'image_medium', 'image_small', 'lang', 'tz', 'groups_id', 'partner_id']
+    SELF_READABLE_FIELDS = ['signature', 'company_id', 'login', 'email', 'name', 'image', 'image_medium', 'image_small', 'lang', 'tz', 'groups_id', 'partner_id', '__last_update']

    def read(self, cr, uid, ids, fields=None, context=None, load='_classic_read'):
        def override_password(o):
@ -272,9 +272,9 @@ class res_users(osv.osv):
                o['password'] = '********'
            return o

-        if (isinstance(ids, (list, tuple)) and ids == [uid]) or ids == uid:
+        if fields and (ids == [uid] or ids == uid):
            for key in fields:
-                if not (key in self.SELF_READABLE_FIELDS or key.startswith('context_') or key in ['__last_update']):
+                if not (key in self.SELF_READABLE_FIELDS or key.startswith('context_')):
                    break
            else:
                # safe fields only, so we read as super-user to bypass access rights