[FIX] {account, sale_stock}: res_config: set_default as SUPERUSER_ID. check user group to avoid passthrough access rights security

bzr revid: dle@openerp.com-20131129154714-pogix71b73nz11qp
2013-11-29 16:47:14 +01:00 · 2013-11-29 16:47:14 +01:00 · fc4eca01e7
parent 556c7f03f0
commit fc4eca01e7
3 changed files with 15 additions and 9 deletions
--- a/addons/account/account.py
+++ b/addons/account/account.py
@ -25,6 +25,7 @@ from dateutil.relativedelta import relativedelta
 from operator import itemgetter
 import time

+import openerp
 from openerp import SUPERUSER_ID
 from openerp import pooler, tools
 from openerp.osv import fields, osv
@ -3447,6 +3448,8 @@ class wizard_multi_charts_accounts(osv.osv_memory):
        all the provided information to create the accounts, the banks, the journals, the taxes, the tax codes, the
        accounting properties... accordingly for the chosen company.
        '''
+        if uid != SUPERUSER_ID and not self.pool['res.users'].has_group(cr, uid, 'base.group_erp_manager'):
+            raise openerp.exceptions.AccessError(_("Only administrators can change the settings"))
        obj_data = self.pool.get('ir.model.data')
        ir_values_obj = self.pool.get('ir.values')
        obj_wizard = self.browse(cr, uid, ids[0])
@ -3463,7 +3466,7 @@ class wizard_multi_charts_accounts(osv.osv_memory):
                        self.pool.get(tmp2[0]).write(cr, uid, tmp2[1], {
                            'currency_id': obj_wizard.currency_id.id
                        })
-                except ValueError, e:
+                except ValueError:
                    pass

        # If the floats for sale/purchase rates have been filled, create templates from them
--- a/addons/account/res_config.py
+++ b/addons/account/res_config.py
@ -22,13 +22,12 @@
 import time
 import datetime
 from dateutil.relativedelta import relativedelta
-from operator import itemgetter
-from os.path import join as opj

+import openerp
+from openerp import SUPERUSER_ID
 from openerp.tools import DEFAULT_SERVER_DATE_FORMAT as DF
 from openerp.tools.translate import _
 from openerp.osv import fields, osv
-from openerp import tools

 class account_config_settings(osv.osv_memory):
    _name = 'account.config.settings'
@ -276,11 +275,13 @@ class account_config_settings(osv.osv_memory):

    def set_default_taxes(self, cr, uid, ids, context=None):
        """ set default sale and purchase taxes for products """
+        if uid != SUPERUSER_ID and not self.pool['res.users'].has_group(cr, uid, 'base.group_erp_manager'):
+            raise openerp.exceptions.AccessError(_("Only administrators can change the settings"))
        ir_values = self.pool.get('ir.values')
        config = self.browse(cr, uid, ids[0], context)
-        ir_values.set_default(cr, uid, 'product.product', 'taxes_id',
+        ir_values.set_default(cr, SUPERUSER_ID, 'product.product', 'taxes_id',
            config.default_sale_tax and [config.default_sale_tax.id] or False, company_id=config.company_id.id)
-        ir_values.set_default(cr, uid, 'product.product', 'supplier_taxes_id',
+        ir_values.set_default(cr, SUPERUSER_ID, 'product.product', 'supplier_taxes_id',
            config.default_purchase_tax and [config.default_purchase_tax.id] or False, company_id=config.company_id.id)

    def set_chart_of_accounts(self, cr, uid, ids, context=None):
--- a/addons/sale_stock/res_config.py
+++ b/addons/sale_stock/res_config.py
@ -19,8 +19,9 @@
 #
 ##############################################################################

+import openerp
+from openerp import SUPERUSER_ID
 from openerp.osv import fields, osv
-from openerp import pooler
 from openerp.tools.translate import _

 class sale_configuration(osv.osv_memory):
@ -76,12 +77,13 @@ class sale_configuration(osv.osv_memory):
        }

    def set_sale_defaults(self, cr, uid, ids, context=None):
+        if uid != SUPERUSER_ID and not self.pool['res.users'].has_group(cr, uid, 'base.group_erp_manager'):
+            raise openerp.exceptions.AccessError(_("Only administrators can change the settings"))
        ir_values = self.pool.get('ir.values')
-        ir_model_data = self.pool.get('ir.model.data')
        wizard = self.browse(cr, uid, ids)[0]

        default_picking_policy = 'one' if wizard.default_picking_policy else 'direct'
-        ir_values.set_default(cr, uid, 'sale.order', 'picking_policy', default_picking_policy)
+        ir_values.set_default(cr, SUPERUSER_ID, 'sale.order', 'picking_policy', default_picking_policy)
        res = super(sale_configuration, self).set_sale_defaults(cr, uid, ids, context)
        return res