Fixed potential security issue + some details
bzr revid: nicolas.vanhoren@openerp.com-20130805133309-jds80qa5j5lgwslq
This commit is contained in:
parent
226b142ac6
commit
d256d16e3a
|
@ -1071,7 +1071,10 @@ class DataSet(http.Controller):
|
|||
names.get(record['id']) or "%s#%d" % (model, (record['id']))
|
||||
return records
|
||||
|
||||
return getattr(request.session.model(model), method)(*args, **kwargs)
|
||||
if method.startswith('_'):
|
||||
raise Exception("Access denied")
|
||||
|
||||
return getattr(request.registry.get(model), method)(request.cr, request.uid, *args, **kwargs)
|
||||
|
||||
@http.route('/web/dataset/call', type='json', auth="user")
|
||||
def call(self, model, method, args, domain_id=None, context_id=None):
|
||||
|
|
|
@ -574,6 +574,8 @@ class Model(object):
|
|||
raise Exception("Trying to use Model with badly configured database or user.")
|
||||
|
||||
mod = request.registry.get(self.model)
|
||||
if method.startswith('_'):
|
||||
raise Exception("Access denied")
|
||||
meth = getattr(mod, method)
|
||||
cr = request.cr
|
||||
result = meth(cr, request.uid, *args, **kw)
|
||||
|
|
|
@ -1047,7 +1047,10 @@ openerp.web.Session = openerp.web.Class.extend(openerp.web.PropertiesMixin, {
|
|||
return path.length >= el.length && path.slice(0, el.length) === el;
|
||||
}) ? '' : this.prefix;
|
||||
return prefix + path + qs;
|
||||
}
|
||||
},
|
||||
model: function(model_name) {
|
||||
return new openerp.web.Model(this, model_name);
|
||||
},
|
||||
});
|
||||
|
||||
openerp.web.Model = openerp.web.Class.extend({
|
||||
|
@ -1084,7 +1087,7 @@ openerp.web.Model = openerp.web.Class.extend({
|
|||
},
|
||||
session: function() {
|
||||
if (! this._session)
|
||||
throw new Error("Not implemented");
|
||||
throw new Error("Not session specified");
|
||||
return this._session;
|
||||
},
|
||||
/**
|
||||
|
|
Loading…
Reference in New Issue