Prevent to send web notifications to other users

Only the admin user (sudo) is allowed to send notifications to other users. The normal users can only send notifications to themselves. This is to prevent attackers to craft malicious notifications and send them to other users using RPC. Correction based on the idea of @hbrunn
2018-10-08 10:28:54 +02:00 · 2018-10-08 10:28:54 +02:00 · 7924072514
parent 9ac4a2400b
commit 7924072514
2 changed files with 17 additions and 1 deletions
--- a/web_notify/models/res_users.py
+++ b/web_notify/models/res_users.py
@ -3,7 +3,7 @@
 # Copyright 2018 Camptocamp
 # License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl).

-from odoo import api, fields, models, _
+from odoo import api, exceptions, fields, models, _, SUPERUSER_ID
 from odoo.addons.web.controllers.main import clean_action


@ -48,6 +48,11 @@ class ResUsers(models.Model):

    @api.multi
    def _notify_channel(self, channel_name_field, message, title, **options):
+        if (self.env.uid != SUPERUSER_ID
+                and any(user.id != self.env.uid for user in self)):
+            raise exceptions.UserError(
+                _('Sending a notification to another user is forbidden.')
+            )
        if options.get('action'):
            options['action'] = clean_action(options['action'])
        bus_message = {
--- a/web_notify/tests/test_res_users.py
+++ b/web_notify/tests/test_res_users.py
@ -3,6 +3,7 @@
 # License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl).
 import json

+from odoo import exceptions
 from odoo.tests import common
 from odoo.addons.bus.models.bus import json_dump
 import mock
@ -100,3 +101,13 @@ class TestResUsers(common.TransactionCase):
            first_pos_call_args = pos_call_args[0]
            self.assertIsInstance(first_pos_call_args, list)
            self.assertEqual(len(users), len(first_pos_call_args))
+
+    def test_notify_other_user(self):
+        other_user = self.env.ref('base.user_demo')
+        other_user_model = self.env['res.users'].sudo(other_user)
+        with self.assertRaises(exceptions.UserError):
+            other_user_model.browse(self.env.uid).notify_info('hello')
+
+    def test_notify_admin_allowed_other_user(self):
+        other_user = self.env.ref('base.user_demo')
+        other_user.notify_info('hello')