odoo
/
odoo
2
0
Fork 0
Code Pull Requests Releases Activity

Fixed potential security issue + some details 

bzr revid: nicolas.vanhoren@openerp.com-20130805133309-jds80qa5j5lgwslq
This commit is contained in:
niv-openerp 2013-08-05 15:33:09 +02:00
parent 226b142ac6
commit d256d16e3a
3 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
addons/web/controllers/main.py
View File

@ -1071,7 +1071,10 @@ class DataSet(http.Controller):
names.get(record['id']) or "%s#%d" % (model, (record['id']))
return records
return getattr(request.session.model(model), method)(*args, **kwargs)
if method.startswith('_'):
raise Exception("Access denied")
return getattr(request.registry.get(model), method)(request.cr, request.uid, *args, **kwargs)
@http.route('/web/dataset/call', type='json', auth="user")
def call(self, model, method, args, domain_id=None, context_id=None):

2
addons/web/http.py
View File

@ -574,6 +574,8 @@ class Model(object):
raise Exception("Trying to use Model with badly configured database or user.")
mod = request.registry.get(self.model)
if method.startswith('_'):
raise Exception("Access denied")
meth = getattr(mod, method)
cr = request.cr
result = meth(cr, request.uid, *args, **kw)

7
addons/web/static/src/js/openerpframework.js
View File

@ -1047,7 +1047,10 @@ openerp.web.Session = openerp.web.Class.extend(openerp.web.PropertiesMixin, {
return path.length >= el.length && path.slice(0, el.length) === el;
}) ? '' : this.prefix;
return prefix + path + qs;
}
},
model: function(model_name) {
return new openerp.web.Model(this, model_name);
},
});
openerp.web.Model = openerp.web.Class.extend({
@ -1084,7 +1087,7 @@ openerp.web.Model = openerp.web.Class.extend({
},
session: function() {
if (! this._session)
throw new Error("Not implemented");
throw new Error("Not session specified");
return this._session;
},
/**