← Back to team overview

openerp-community-reviewer team mailing list archive

  1. openerp-community-reviewer team
  2. Mailing list archive
  3. Message #08133

[Merge] lp:~therp-nl/ocb-server/6.1-private_fields into lp:ocb-server/6.1

  Thread PreviousDate PreviousThread Next 
Stefan Rijnhart (Therp) has proposed merging lp:~therp-nl/ocb-server/6.1-private_fields into lp:ocb-server/6.1.

Requested reviews:
  Stefan Rijnhart (Therp) (stefan-therp)

For more details, see:
https://code.launchpad.net/~therp-nl/ocb-server/6.1-private_fields/+merge/267344

https://github.com/odoo/odoo/commit/856bc6f2b147970245f96e26d882f114c32e035c
https://github.com/odoo/odoo/commit/5e4c09ae5334159fbf9126493cbf0e7dcbef3859
-- 
Your team OpenERP Community Backports is subscribed to branch lp:ocb-server/6.1.

=== modified file 'openerp/addons/base/res/res_users.py'
--- openerp/addons/base/res/res_users.py	2013-01-03 10:56:35 +0000
+++ openerp/addons/base/res/res_users.py	2015-08-07 13:53:39 +0000
@@ -40,6 +40,10 @@
 
 _logger = logging.getLogger(__name__)
 
+
+# Only users who can modify the user (incl. the user herself) see the real contents of these fields
+USER_PRIVATE_FIELDS = ['password']
+
 class groups(osv.osv):
     _name = "res.groups"
     _description = "Access Groups"
@@ -293,6 +297,10 @@
         def override_password(o):
             if 'password' in o and ( 'id' not in o or o['id'] != uid ):
                 o['password'] = '********'
+            if ('id' not in o or o['id'] != uid):
+                for f in USER_PRIVATE_FIELDS:
+                    if f in o:
+                        o[f] = '********'
             return o
         result = super(users, self).read(cr, uid, ids, fields, context, load)
         canwrite = self.pool.get('ir.model.access').check(cr, uid, 'res.users', 'write', False)
@@ -303,6 +311,24 @@
                 result = map(override_password, result)
         return result
 
+    def read_group(self, cr, uid, domain, fields, groupby, offset=0, limit=None, context=None, orderby=False):
+        if uid != openerp.SUPERUSER_ID:
+            groupby_fields = set([groupby] if isinstance(groupby, basestring) else groupby)
+            if groupby_fields.intersection(USER_PRIVATE_FIELDS):
+                raise openerp.exceptions.AccessError('Invalid groupby')
+        return super(users, self).read_group(
+            cr, uid, domain, fields, groupby, offset=offset, limit=limit, context=context, orderby=orderby)
+
+    def _search(self, cr, user, args, offset=0, limit=None, order=None, context=None, count=False, access_rights_uid=None):
+        if user != openerp.SUPERUSER_ID and args:
+            domain_terms = [term for term in args if isinstance(term, (tuple, list))]
+            domain_fields = set(left for (left, op, right) in domain_terms)
+            if domain_fields.intersection(USER_PRIVATE_FIELDS):
+                raise openerp.exceptions.AccessError('Invalid search criterion')
+        return super(users, self)._search(
+            cr, user, args, offset=offset, limit=limit, order=order, context=context, count=count,
+            access_rights_uid=access_rights_uid)
+
 
     def _check_company(self, cr, uid, ids, context=None):
         return all(((this.company_id in this.company_ids) or not this.company_ids) for this in self.browse(cr, uid, ids, context))

Follow ups

  Thread PreviousDate PreviousThread Next