odoo
/
odoo
2
0
Fork 0
Code Pull Requests Releases Activity

[FIX] {account, sale_stock}: res_config: set_default as SUPERUSER_ID. check user group to avoid passthrough access rights security 

bzr revid: dle@openerp.com-20131129154714-pogix71b73nz11qp
This commit is contained in:
Denis Ledoux 2013-11-29 16:47:14 +01:00
parent 556c7f03f0
commit fc4eca01e7
3 changed files with 15 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
addons/account/account.py
View File

@ -25,6 +25,7 @@ from dateutil.relativedelta import relativedelta
from operator import itemgetter from operator import itemgetter
import time import time
import openerp
from openerp import SUPERUSER_ID from openerp import SUPERUSER_ID
from openerp import pooler, tools from openerp import pooler, tools
from openerp.osv import fields, osv from openerp.osv import fields, osv
@ -3447,6 +3448,8 @@ class wizard_multi_charts_accounts(osv.osv_memory):
all the provided information to create the accounts, the banks, the journals, the taxes, the tax codes, the all the provided information to create the accounts, the banks, the journals, the taxes, the tax codes, the
accounting properties... accordingly for the chosen company. accounting properties... accordingly for the chosen company.
''' '''
if uid != SUPERUSER_ID and not self.pool['res.users'].has_group(cr, uid, 'base.group_erp_manager'):
raise openerp.exceptions.AccessError(_("Only administrators can change the settings"))
obj_data = self.pool.get('ir.model.data') obj_data = self.pool.get('ir.model.data')
ir_values_obj = self.pool.get('ir.values') ir_values_obj = self.pool.get('ir.values')
obj_wizard = self.browse(cr, uid, ids[0]) obj_wizard = self.browse(cr, uid, ids[0])
@ -3463,7 +3466,7 @@ class wizard_multi_charts_accounts(osv.osv_memory):
self.pool.get(tmp2[0]).write(cr, uid, tmp2[1], { self.pool.get(tmp2[0]).write(cr, uid, tmp2[1], {
'currency_id': obj_wizard.currency_id.id 'currency_id': obj_wizard.currency_id.id
}) })
except ValueError, e: except ValueError:
pass pass
# If the floats for sale/purchase rates have been filled, create templates from them # If the floats for sale/purchase rates have been filled, create templates from them

11
addons/account/res_config.py
View File

@ -22,13 +22,12 @@
import time import time
import datetime import datetime
from dateutil.relativedelta import relativedelta from dateutil.relativedelta import relativedelta
from operator import itemgetter
from os.path import join as opj
import openerp
from openerp import SUPERUSER_ID
from openerp.tools import DEFAULT_SERVER_DATE_FORMAT as DF from openerp.tools import DEFAULT_SERVER_DATE_FORMAT as DF
from openerp.tools.translate import _ from openerp.tools.translate import _
from openerp.osv import fields, osv from openerp.osv import fields, osv
from openerp import tools
class account_config_settings(osv.osv_memory): class account_config_settings(osv.osv_memory):
_name = 'account.config.settings' _name = 'account.config.settings'
@ -276,11 +275,13 @@ class account_config_settings(osv.osv_memory):
def set_default_taxes(self, cr, uid, ids, context=None): def set_default_taxes(self, cr, uid, ids, context=None):
""" set default sale and purchase taxes for products """ """ set default sale and purchase taxes for products """
if uid != SUPERUSER_ID and not self.pool['res.users'].has_group(cr, uid, 'base.group_erp_manager'):
raise openerp.exceptions.AccessError(_("Only administrators can change the settings"))
ir_values = self.pool.get('ir.values') ir_values = self.pool.get('ir.values')
config = self.browse(cr, uid, ids[0], context) config = self.browse(cr, uid, ids[0], context)
ir_values.set_default(cr, uid, 'product.product', 'taxes_id', ir_values.set_default(cr, SUPERUSER_ID, 'product.product', 'taxes_id',
config.default_sale_tax and [config.default_sale_tax.id] or False, company_id=config.company_id.id) config.default_sale_tax and [config.default_sale_tax.id] or False, company_id=config.company_id.id)
ir_values.set_default(cr, uid, 'product.product', 'supplier_taxes_id', ir_values.set_default(cr, SUPERUSER_ID, 'product.product', 'supplier_taxes_id',
config.default_purchase_tax and [config.default_purchase_tax.id] or False, company_id=config.company_id.id) config.default_purchase_tax and [config.default_purchase_tax.id] or False, company_id=config.company_id.id)
def set_chart_of_accounts(self, cr, uid, ids, context=None): def set_chart_of_accounts(self, cr, uid, ids, context=None):

8
addons/sale_stock/res_config.py
View File

@ -19,8 +19,9 @@
# #
############################################################################## ##############################################################################
import openerp
from openerp import SUPERUSER_ID
from openerp.osv import fields, osv from openerp.osv import fields, osv
from openerp import pooler
from openerp.tools.translate import _ from openerp.tools.translate import _
class sale_configuration(osv.osv_memory): class sale_configuration(osv.osv_memory):
@ -76,12 +77,13 @@ class sale_configuration(osv.osv_memory):
} }
def set_sale_defaults(self, cr, uid, ids, context=None): def set_sale_defaults(self, cr, uid, ids, context=None):
if uid != SUPERUSER_ID and not self.pool['res.users'].has_group(cr, uid, 'base.group_erp_manager'):
raise openerp.exceptions.AccessError(_("Only administrators can change the settings"))
ir_values = self.pool.get('ir.values') ir_values = self.pool.get('ir.values')
ir_model_data = self.pool.get('ir.model.data')
wizard = self.browse(cr, uid, ids)[0] wizard = self.browse(cr, uid, ids)[0]
default_picking_policy = 'one' if wizard.default_picking_policy else 'direct' default_picking_policy = 'one' if wizard.default_picking_policy else 'direct'
ir_values.set_default(cr, uid, 'sale.order', 'picking_policy', default_picking_policy) ir_values.set_default(cr, SUPERUSER_ID, 'sale.order', 'picking_policy', default_picking_policy)
res = super(sale_configuration, self).set_sale_defaults(cr, uid, ids, context) res = super(sale_configuration, self).set_sale_defaults(cr, uid, ids, context)
return res return res