[IMP] website_sale: better access rules and security
bzr revid: chm@openerp.com-20131008152233-zl3dxoyso9liahlm
This commit is contained in:
Christophe Matthieu
parent
e535a152e5
commit
20b6367ec5
|
|
@ -147,7 +147,7 @@ class website(osv.osv):
|
|||
website=request.website,
|
||||
url_for=url_for,
|
||||
res_company=request.website.company_id,
|
||||
user_id=user.browse(cr, openerp.SUPERUSER_ID, uid),
|
||||
user_id=user.browse(cr, uid, uid),
|
||||
)
|
||||
|
||||
context = request.context.copy()
|
||||
|
|
|
|||
|
|
@ -6,33 +6,45 @@ from openerp.addons.web import http
|
|||
from openerp.addons.web.http import request
|
||||
from openerp.addons.website.models import website
|
||||
import random
|
||||
import uuid
|
||||
|
||||
def get_order(order_id=None):
|
||||
order_obj = request.registry.get('sale.order')
|
||||
# check if order allready exists
|
||||
# check if order allready exists and have access
|
||||
if order_id:
|
||||
try:
|
||||
order = order_obj.browse(request.cr, SUPERUSER_ID, order_id, context=request.context)
|
||||
order = order_obj.browse(request.cr, request.uid, order_id, context=request.context)
|
||||
order.pricelist_id
|
||||
if order:
|
||||
return order
|
||||
except:
|
||||
order_id = None
|
||||
if not order_id:
|
||||
fields = [k for k, v in order_obj._columns.items()]
|
||||
order_value = order_obj.default_get(request.cr, SUPERUSER_ID, fields, context=request.context)
|
||||
if request.httprequest.session.get('ecommerce_pricelist'):
|
||||
order_value['pricelist_id'] = request.httprequest.session['ecommerce_pricelist']
|
||||
order_value['partner_id'] = request.registry.get('res.users').browse(request.cr, SUPERUSER_ID, request.uid, context=request.context).partner_id.id
|
||||
order_value.update(order_obj.onchange_partner_id(request.cr, SUPERUSER_ID, [], order_value['partner_id'], context=request.context)['value'])
|
||||
order_id = order_obj.create(request.cr, SUPERUSER_ID, order_value, context=request.context)
|
||||
order = order_obj.browse(request.cr, SUPERUSER_ID, order_id, context=request.context)
|
||||
request.httprequest.session['ecommerce_order_id'] = order.id
|
||||
return False
|
||||
|
||||
return order_obj.browse(request.cr, SUPERUSER_ID, order_id,
|
||||
fields = [k for k, v in order_obj._columns.items()]
|
||||
order_value = order_obj.default_get(request.cr, SUPERUSER_ID, fields, context=request.context)
|
||||
if request.httprequest.session.get('ecommerce_pricelist'):
|
||||
order_value['pricelist_id'] = request.httprequest.session['ecommerce_pricelist']
|
||||
order_value['partner_id'] = request.registry.get('res.users').browse(request.cr, SUPERUSER_ID, request.uid, context=request.context).partner_id.id
|
||||
order_value.update(order_obj.onchange_partner_id(request.cr, SUPERUSER_ID, [], order_value['partner_id'], context=request.context)['value'])
|
||||
|
||||
# add website_session_id key for access rules
|
||||
if not request.httprequest.session.get('website_session_id'):
|
||||
request.httprequest.session['website_session_id'] = str(uuid.uuid4())
|
||||
|
||||
order_value["website_session_id"] = request.httprequest.session['website_session_id']
|
||||
order_id = order_obj.create(request.cr, SUPERUSER_ID, order_value, context=request.context)
|
||||
order = order_obj.browse(request.cr, SUPERUSER_ID, order_id, context=request.context)
|
||||
request.httprequest.session['ecommerce_order_id'] = order.id
|
||||
|
||||
return order_obj.browse(request.cr, request.uid, order_id,
|
||||
context=dict(request.context, pricelist=order.pricelist_id.id))
|
||||
|
||||
def get_current_order():
|
||||
if request.httprequest.session.get('ecommerce_order_id'):
|
||||
return get_order(request.httprequest.session.get('ecommerce_order_id'))
|
||||
order = get_order(request.httprequest.session.get('ecommerce_order_id'))
|
||||
if not order:
|
||||
request.httprequest.session['ecommerce_order_id'] = False
|
||||
return order
|
||||
else:
|
||||
return False
|
||||
|
||||
|
|
@ -317,6 +329,7 @@ class Ecommerce(http.Controller):
|
|||
|
||||
def add_product_to_cart(self, product_id=0, order_line_id=0, number=1, set_number=-1):
|
||||
order_line_obj = request.registry.get('sale.order.line')
|
||||
order_obj = request.registry.get('sale.order')
|
||||
|
||||
order = get_current_order()
|
||||
if not order:
|
||||
|
|
@ -364,9 +377,8 @@ class Ecommerce(http.Controller):
|
|||
if not quantity:
|
||||
order_line_obj.unlink(request.cr, SUPERUSER_ID, order_line_ids, context=request.context)
|
||||
else:
|
||||
#values['name'] = "website order"
|
||||
order_line_id = order_line_obj.create(request.cr, SUPERUSER_ID, values, context=request.context)
|
||||
order.write({'order_line': [(4, order_line_id)]}, context=request.context)
|
||||
order_obj.write(request.cr, SUPERUSER_ID, [order.id], {'order_line': [(4, order_line_id)]}, context=request.context)
|
||||
|
||||
return [quantity, order.get_total_quantity()]
|
||||
|
||||
|
|
@ -500,10 +512,11 @@ class Ecommerce(http.Controller):
|
|||
'state_id': post['state_id'],
|
||||
}
|
||||
if not request.context['is_public_user']:
|
||||
partner_id = user_obj.browse(request.cr, request.uid, request.uid, request.context).partner_id.id
|
||||
partner_obj.write(request.cr, request.uid, [partner_id], partner_value, request.context)
|
||||
partner_id = user_obj.browse(request.cr, request.uid, request.uid, context=request.context).partner_id.id
|
||||
partner_obj.write(request.cr, request.uid, [partner_id], partner_value, context=request.context)
|
||||
else:
|
||||
partner_id = partner_obj.create(request.cr, SUPERUSER_ID, partner_value, request.context)
|
||||
partner_id = partner_obj.create(request.cr, SUPERUSER_ID, partner_value, context=request.context)
|
||||
|
||||
|
||||
shipping_id = None
|
||||
if post.get('shipping_different'):
|
||||
|
|
@ -530,6 +543,7 @@ class Ecommerce(http.Controller):
|
|||
|
||||
order_value = {
|
||||
'partner_id': partner_id,
|
||||
'message_follower_ids': [(4, partner_id)],
|
||||
'partner_invoice_id': partner_id,
|
||||
'partner_shipping_id': shipping_id or partner_id
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,7 +1,9 @@
|
|||
id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
|
||||
access_product_product_public,product.product.public,product.model_product_product,base.group_public,1,0,0,0
|
||||
access_product_template_public,product.template.public,product.model_product_template,base.group_public,1,0,0,0
|
||||
access_product_category_,product.category,product.model_product_category,base.group_public,1,0,0,0
|
||||
access_product_category_,product.category.public,product.model_product_category,base.group_public,1,0,0,0
|
||||
access_product_category_public,product.category.public,product.model_product_public_category,base.group_public,1,0,0,0
|
||||
access_product_pricelist_version_public,product.pricelist.version,product.model_product_pricelist_version,base.group_public,1,0,0,0
|
||||
access_product_product_price_type_public,product.price.type,product.model_product_price_type,base.group_public,1,0,0,0
|
||||
access_product_pricelist_version_public,product.pricelist.version.public,product.model_product_pricelist_version,base.group_public,1,0,0,0
|
||||
access_product_product_price_type_public,product.price.type.public,product.model_product_price_type,base.group_public,1,0,0,0
|
||||
access_sale_order_public,sale.order.public,model_sale_order,base.group_public,1,0,0,0
|
||||
access_sale_order_line_public,sale.order.line.public,model_sale_order_line,base.group_public,1,0,0,0
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
<openerp>
|
||||
<data>
|
||||
<record id="product_template_public" model="ir.rule">
|
||||
<field name="name">product: Public product template</field>
|
||||
<field name="name">Public product template</field>
|
||||
<field name="model_id" ref="product.model_product_template"/>
|
||||
<field name="domain_force">[('website_published', '=', True), ("sale_ok", "=", True)]</field>
|
||||
<field name="groups" eval="[(4, ref('base.group_public'))]"/>
|
||||
|
|
@ -12,7 +12,7 @@
|
|||
<field name="perm_unlink" eval="False"/>
|
||||
</record>
|
||||
<record id="product_product_public" model="ir.rule">
|
||||
<field name="name">product: Public product</field>
|
||||
<field name="name">Public product</field>
|
||||
<field name="model_id" ref="product.model_product_product"/>
|
||||
<field name="domain_force">[('website_published', '=', True), ("sale_ok", "=", True)]</field>
|
||||
<field name="groups" eval="[(4, ref('base.group_public'))]"/>
|
||||
|
|
@ -21,5 +21,26 @@
|
|||
<field name="perm_create" eval="False"/>
|
||||
<field name="perm_unlink" eval="False"/>
|
||||
</record>
|
||||
|
||||
<record id="sale_order_personal_rule_public" model="ir.rule">
|
||||
<field name="name">Public Personal Orders</field>
|
||||
<field ref="model_sale_order" name="model_id"/>
|
||||
<field name="domain_force">[('state','=','draft'), ('website_session_id','!=',False), ('website_session_id','!=',session.get('website_session_id'))]</field>
|
||||
<field name="groups" eval="[(4, ref('base.group_public'))]"/>
|
||||
<field name="perm_read" eval="True"/>
|
||||
<field name="perm_write" eval="False"/>
|
||||
<field name="perm_create" eval="False"/>
|
||||
<field name="perm_unlink" eval="False"/>
|
||||
</record>
|
||||
<record id="sale_order_lines_personal_rule_public" model="ir.rule">
|
||||
<field name="name">Public Personal Order lines</field>
|
||||
<field ref="model_sale_order_line" name="model_id"/>
|
||||
<field name="domain_force">[('state','=','draft'), ('order_id.website_session_id','!=',False), ('order_id.website_session_id','!=',session.get('website_session_id'))]</field>
|
||||
<field name="groups" eval="[(4, ref('base.group_public'))]"/>
|
||||
<field name="perm_read" eval="True"/>
|
||||
<field name="perm_write" eval="False"/>
|
||||
<field name="perm_create" eval="False"/>
|
||||
<field name="perm_unlink" eval="False"/>
|
||||
</record>
|
||||
</data>
|
||||
</openerp>
|
||||
|
|
|
|||
|
|
@ -20,12 +20,15 @@
|
|||
##############################################################################
|
||||
|
||||
from openerp import SUPERUSER_ID
|
||||
from openerp.osv import osv
|
||||
|
||||
from openerp.osv import osv, fields
|
||||
|
||||
class sale_order(osv.Model):
|
||||
_inherit = "sale.order"
|
||||
|
||||
_columns = {
|
||||
'website_session_id': fields.char('Session UUID4'),
|
||||
}
|
||||
|
||||
def get_total_quantity(self, cr, uid, ids, context=None):
|
||||
order = self.browse(cr, uid, ids[0], context=context)
|
||||
return int(sum(l.product_uom_qty for l in (order.order_line or [])))
|
||||
|
|
|
|||
Loading…
Reference in New Issue