[FIX] web: do not allow to access a database if not matching db-filter

author Denis Ledoux <dle@odoo.com>

Fri, 5 Sep 2014 12:57:20 +0000 (14:57 +0200)

committer Denis Ledoux <dle@odoo.com>

Fri, 5 Sep 2014 12:57:59 +0000 (14:57 +0200)
author Denis Ledoux <dle@odoo.com>
Fri, 5 Sep 2014 12:57:20 +0000 (14:57 +0200)
committer Denis Ledoux <dle@odoo.com>
Fri, 5 Sep 2014 12:57:59 +0000 (14:57 +0200)
diff --git a/addons/web/controllers/main.py b/addons/web/controllers/main.py

index 584bb3e..6bfc249 100644 (file)
--- a/addons/web/controllers/main.py
+++ b/addons/web/controllers/main.py
@@ -101,13 +101,13 @@ def db_redirect(req, match_first_only_if_unique):
      db = False
      redirect = False
  
+    dbs = db_list(req, True)
+
      # 1 try the db in the url
      db_url = req.params.get('db')
-    if db_url:
+    if db_url and db_url in dbs:
          return (db_url, False)
  
-    dbs = db_list(req, True)
-
      # 2 use the database from the cookie if it's listable and still listed
      cookie_db = req.httprequest.cookies.get('last_used_database')
      if cookie_db in dbs:
@@ -584,6 +584,8 @@ class Home(openerpweb.Controller):
  
      @openerpweb.httprequest
      def login(self, req, db, login, key):
+        if db not in db_list(req, True):
+            return werkzeug.utils.redirect('/', 303)
          return login_and_redirect(req, db, login, key)
  
  class WebClient(openerpweb.Controller):
author	Denis Ledoux <dle@odoo.com>
	Fri, 5 Sep 2014 12:57:20 +0000 (14:57 +0200)
committer	Denis Ledoux <dle@odoo.com>
	Fri, 5 Sep 2014 12:57:59 +0000 (14:57 +0200)