From 15905e78c5ad38ffdc039ade20f272fcba9ccbfe Mon Sep 17 00:00:00 2001 From: Martin Trigaux Date: Tue, 29 Oct 2013 18:14:20 +0100 Subject: [PATCH] [FIX] ir_attachment: fix security issues on ir_attachment check: verify the permissions even when no ids are passed (skipped permission checking for create) create: verify has the write access on the related model (instead of create, was not checked anyway) function field: execute the write in fnct_inv as superuser (was impossible to have creation without write access) bzr revid: mat@openerp.com-20131029171420-x87wu7ph8ej7mtro --- openerp/addons/base/ir/ir_attachment.py | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/openerp/addons/base/ir/ir_attachment.py b/openerp/addons/base/ir/ir_attachment.py index 857ebc7..a286670 100644 --- a/openerp/addons/base/ir/ir_attachment.py +++ b/openerp/addons/base/ir/ir_attachment.py @@ -27,6 +27,7 @@ import re from openerp import tools from openerp.osv import fields,osv +from openerp import SUPERUSER_ID _logger = logging.getLogger(__name__) @@ -142,9 +143,9 @@ class ir_attachment(osv.osv): if attach.store_fname: self._file_delete(cr, uid, location, attach.store_fname) fname = self._file_write(cr, uid, location, value) - super(ir_attachment, self).write(cr, uid, [id], {'store_fname': fname, 'file_size': file_size}, context=context) + super(ir_attachment, self).write(cr, SUPERUSER_ID, [id], {'store_fname': fname, 'file_size': file_size}, context=context) else: - super(ir_attachment, self).write(cr, uid, [id], {'db_datas': value, 'file_size': file_size}, context=context) + super(ir_attachment, self).write(cr, SUPERUSER_ID, [id], {'db_datas': value, 'file_size': file_size}, context=context) return True _name = 'ir.attachment' @@ -186,8 +187,6 @@ class ir_attachment(osv.osv): In the 'document' module, it is overriden to relax this hard rule, since more complex ones apply there. """ - if not ids: - return res_ids = {} if ids: if isinstance(ids, (int, long)): @@ -290,7 +289,7 @@ class ir_attachment(osv.osv): return super(ir_attachment, self).unlink(cr, uid, ids, context) def create(self, cr, uid, values, context=None): - self.check(cr, uid, [], mode='create', context=context, values=values) + self.check(cr, uid, [], mode='write', context=context, values=values) if 'file_size' in values: del values['file_size'] return super(ir_attachment, self).create(cr, uid, values, context) -- 1.7.10.4