Techsystech
/
web
mirror of https://github.com/OCA/web.git
3
0
Fork 1
Code Issues Packages Projects Releases Wiki Activity

Prevent to send web notifications to other users 

Only the admin user (sudo) is allowed to send notifications to other
users. The normal users can only send notifications to themselves.

This is to prevent attackers to craft malicious notifications and send
them to other users using RPC.

Correction based on the idea of @hbrunn
pull/1071/head
Guewen Baconnier 2018-10-08 10:04:36 +02:00 committed by Aitor Bouzas
parent 0ad1c90e64
commit ae8e4ec59d
3 changed files with 18 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
web_notify/__manifest__.py
View File

@ -5,7 +5,7 @@
'name': 'Web Notify', 'name': 'Web Notify',
'summary': """ 'summary': """
Send notification messages to user""", Send notification messages to user""",
'version': '11.0.1.0.0', 'version': '11.0.1.1.0',
'description': 'Web Notify', 'description': 'Web Notify',
'license': 'AGPL-3', 'license': 'AGPL-3',
'author': 'ACSONE SA/NV,Odoo Community Association (OCA)', 'author': 'ACSONE SA/NV,Odoo Community Association (OCA)',

7
web_notify/models/res_users.py
View File

@ -1,7 +1,7 @@
# Copyright 2016 ACSONE SA/NV # Copyright 2016 ACSONE SA/NV
# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl). # License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl).
from odoo import api, fields, models, _ from odoo import api, exceptions, fields, models, _, SUPERUSER_ID
class ResUsers(models.Model): class ResUsers(models.Model):
@ -35,6 +35,11 @@ class ResUsers(models.Model):
@api.multi @api.multi
def _notify_channel(self, channel_name_field, message, title, sticky): def _notify_channel(self, channel_name_field, message, title, sticky):
if (self.env.uid != SUPERUSER_ID
and any(user.id != self.env.uid for user in self)):
raise exceptions.UserError(
_('Sending a notification to another user is forbidden.')
)
bus_message = { bus_message = {
'message': message, 'message': message,
'title': title, 'title': title,

11
web_notify/tests/test_res_users.py
View File

@ -1,6 +1,7 @@
# Copyright 2016 ACSONE SA/NV # Copyright 2016 ACSONE SA/NV
# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl). # License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl).
from odoo import exceptions
from odoo.tests import common from odoo.tests import common
from odoo.addons.bus.models.bus import json_dump from odoo.addons.bus.models.bus import json_dump
import json import json
@ -55,3 +56,13 @@ class TestResUsers(common.TransactionCase):
first_pos_call_args = pos_call_args[0] first_pos_call_args = pos_call_args[0]
self.assertIsInstance(first_pos_call_args, list) self.assertIsInstance(first_pos_call_args, list)
self.assertEqual(len(users), len(first_pos_call_args)) self.assertEqual(len(users), len(first_pos_call_args))
def test_notify_other_user(self):
other_user = self.env.ref('base.user_demo')
other_user_model = self.env['res.users'].sudo(other_user)
with self.assertRaises(exceptions.UserError):
other_user_model.browse(self.env.uid).notify_info('hello')
def test_notify_admin_allowed_other_user(self):
other_user = self.env.ref('base.user_demo')
other_user.notify_info('hello')