← Back to team overview

openerp-community-reviewer team mailing list archive

  1. openerp-community-reviewer team
  2. Mailing list archive
  3. Message #08135

Re: [Merge] lp:~therp-nl/ocb-server/6.1-private_fields into lp:ocb-server/6.1

  Thread PreviousDate PreviousThread Next 
Review: Needs Fixing code review

Some comment inside (I didn't remember I have to write here also). Old Launchpad times...

Diff comments:

> === modified file 'openerp/addons/base/res/res_users.py'
> --- openerp/addons/base/res/res_users.py	2013-01-03 10:56:35 +0000
> +++ openerp/addons/base/res/res_users.py	2015-08-07 13:53:39 +0000
> @@ -40,6 +40,10 @@
>  
>  _logger = logging.getLogger(__name__)
>  
> +
> +# Only users who can modify the user (incl. the user herself) see the real contents of these fields

s/herself/themself

> +USER_PRIVATE_FIELDS = ['password']
> +
>  class groups(osv.osv):
>      _name = "res.groups"
>      _description = "Access Groups"
> @@ -303,6 +311,24 @@
>                  result = map(override_password, result)
>          return result
>  
> +    def read_group(self, cr, uid, domain, fields, groupby, offset=0, limit=None, context=None, orderby=False):
> +        if uid != openerp.SUPERUSER_ID:
> +            groupby_fields = set([groupby] if isinstance(groupby, basestring) else groupby)
> +            if groupby_fields.intersection(USER_PRIVATE_FIELDS):
> +                raise openerp.exceptions.AccessError('Invalid groupby')

Change the message to something more valuable like "Group by a private field is not possible"

> +        return super(users, self).read_group(
> +            cr, uid, domain, fields, groupby, offset=offset, limit=limit, context=context, orderby=orderby)
> +
> +    def _search(self, cr, user, args, offset=0, limit=None, order=None, context=None, count=False, access_rights_uid=None):
> +        if user != openerp.SUPERUSER_ID and args:
> +            domain_terms = [term for term in args if isinstance(term, (tuple, list))]
> +            domain_fields = set(left for (left, op, right) in domain_terms)
> +            if domain_fields.intersection(USER_PRIVATE_FIELDS):
> +                raise openerp.exceptions.AccessError('Invalid search criterion')

The same: "You cannot search in private fields"

> +        return super(users, self)._search(
> +            cr, user, args, offset=offset, limit=limit, order=order, context=context, count=count,
> +            access_rights_uid=access_rights_uid)
> +
>  
>      def _check_company(self, cr, uid, ids, context=None):
>          return all(((this.company_id in this.company_ids) or not this.company_ids) for this in self.browse(cr, uid, ids, context))


-- 
https://code.launchpad.net/~therp-nl/ocb-server/6.1-private_fields/+merge/267344
Your team OpenERP Community Backports is subscribed to branch lp:ocb-server/6.1.

References

  Thread PreviousDate PreviousThread Next