[FIX] Do not allow signup and reset_password when no token given and opt-in has not been done in config

bzr revid: fme@openerp.com-20140206091722-xc8dv4whp1eb07z4
2014-02-06 10:17:22 +01:00 · 2014-02-06 10:17:22 +01:00 · 55c61046b9
parent bce084bac2
commit 55c61046b9
1 changed files with 8 additions and 0 deletions
--- a/addons/auth_signup/controllers/main.py
+++ b/addons/auth_signup/controllers/main.py
@ -19,6 +19,7 @@
 #
 ##############################################################################
 import logging
+import werkzeug

 import openerp
 import openerp.addons.web.controllers.main as webmain
@ -44,6 +45,9 @@ class AuthSignupHome(openerp.addons.web.controllers.main.Home):
        webmain.ensure_db()
        qcontext = self.get_auth_signup_qcontext()

+        if not qcontext.get('token') and not qcontext.get('signup_enabled'):
+            raise werkzeug.exceptions.NotFound()
+
        if 'error' not in qcontext and request.httprequest.method == 'POST':
            try:
                self.do_signup(qcontext)
@ -60,6 +64,9 @@ class AuthSignupHome(openerp.addons.web.controllers.main.Home):
        webmain.ensure_db()
        qcontext = self.get_auth_signup_qcontext()

+        if not qcontext.get('token') and not qcontext.get('reset_password_enabled'):
+            raise werkzeug.exceptions.NotFound()
+
        if 'error' not in qcontext and request.httprequest.method == 'POST':
            try:
                if qcontext.get('token'):
@ -93,6 +100,7 @@ class AuthSignupHome(openerp.addons.web.controllers.main.Home):
    def get_auth_signup_qcontext(self):
        """ Shared helper returning the rendering context for signup and reset password """
        qcontext = request.params.copy()
+        qcontext.update(self.get_auth_signup_config())
        if qcontext.get('token'):
            try:
                # retrieve the user info (name, login or email) corresponding to a signup token