[FIX] website_sale: Do not search and associate a company to the partner when an order is validated
This can be regarded as a security leak: You can associate your partner to an existing company, which you maybe do not really belong, and therefore potentially access data which you are not authorized to see Use street for the company name, street2 for the actual street, meanwhile bzr revid: dle@openerp.com-20140410105804-am2xjmr09u3jk36r
This commit is contained in:
parent
bd7804272b
commit
9c074a67a5
|
@ -514,14 +514,7 @@ class Ecommerce(http.Controller):
|
|||
if error:
|
||||
return request.website.render("website_sale.checkout", values)
|
||||
|
||||
company_name = checkout['company']
|
||||
company_id = None
|
||||
if post['company']:
|
||||
company_ids = orm_partner.search(cr, SUPERUSER_ID, [("name", "ilike", company_name), ('is_company', '=', True)], context=context)
|
||||
company_id = (company_ids and company_ids[0]) or orm_partner.create(cr, SUPERUSER_ID, {'name': company_name, 'is_company': True}, context)
|
||||
|
||||
billing_info = dict((k, v) for k,v in checkout.items() if "shipping_" not in k and k != "company")
|
||||
billing_info['parent_id'] = company_id
|
||||
|
||||
partner_id = None
|
||||
public_id = request.registry['website'].get_public_user(cr, uid, context)
|
||||
|
@ -542,7 +535,8 @@ class Ecommerce(http.Controller):
|
|||
shipping_info = {
|
||||
'phone': post['shipping_phone'],
|
||||
'zip': post['shipping_zip'],
|
||||
'street': post['shipping_street'],
|
||||
'street': checkout['company'],
|
||||
'street2': post['shipping_street'],
|
||||
'city': post['shipping_city'],
|
||||
'name': post['shipping_name'],
|
||||
'email': post['email'],
|
||||
|
|
Loading…
Reference in New Issue