From 1f0669b71bcb33e63a3f06bebf636d171f0067ce Mon Sep 17 00:00:00 2001 From: Chill Date: Mon, 11 Mar 2024 18:16:14 +0800 Subject: [PATCH] [FIX] app_odoo_customize: security --- app_odoo_customize/__manifest__.py | 2 +- .../models/res_config_settings.py | 57 ++++++++++--------- .../static/description/index.html | 2 +- 3 files changed, 33 insertions(+), 28 deletions(-) diff --git a/app_odoo_customize/__manifest__.py b/app_odoo_customize/__manifest__.py index 773e5ceb..8c096f37 100644 --- a/app_odoo_customize/__manifest__.py +++ b/app_odoo_customize/__manifest__.py @@ -23,7 +23,7 @@ { 'name': 'odoo17 Tweak,Ai Employee,Boost,Customize All in One. Customize,UI,Boost,Security,Data,Development Enhance', - 'version': '24.02.29', + 'version': '24.03.11', 'author': 'odooai.cn', 'category': 'Extra Tools', 'website': 'https://www.odooai.cn', diff --git a/app_odoo_customize/models/res_config_settings.py b/app_odoo_customize/models/res_config_settings.py index 8372fa2f..712d579d 100644 --- a/app_odoo_customize/models/res_config_settings.py +++ b/app_odoo_customize/models/res_config_settings.py @@ -69,17 +69,22 @@ class ResConfigSettings(models.TransientModel): @api.model def set_module_url(self, rec=None): + if not self._app_check_sys_op(): + raise UserError(_('Not allow.')) config_parameter = self.env['ir.config_parameter'].sudo() app_enterprise_url = config_parameter.get_param('app_enterprise_url', 'https://www.odooai.cn') - sql = "UPDATE ir_module_module SET website = '%s' WHERE license like '%s' and website <> ''" % (app_enterprise_url, 'OEEL%') - try: - self._cr.execute(sql) - self._cr.commit() - except Exception as e: - pass + modules = self.env['ir.module.module'].search([('license', 'like', 'OEEL%'), ('website', '!=', False)]) + if modules: + sql = "UPDATE ir_module_module SET website = '%s' WHERE id IN %s" % (app_enterprise_url, tuple(modules.ids)) + try: + self._cr.execute(sql) + except Exception as e: + pass # 清数据,o=对象, s=序列 - def remove_app_data(self, o, s=[]): + def _remove_app_data(self, o, s=[]): + if not self._app_check_sys_op(): + raise UserError(_('Not allow.')) for line in o: # 检查是否存在 try: @@ -131,7 +136,7 @@ class ResConfigSettings(models.TransientModel): seqs = [ 'sale', ] - return self.remove_app_data(to_removes, seqs) + return self._remove_app_data(to_removes, seqs) def remove_product(self): to_removes = [ @@ -142,7 +147,7 @@ class ResConfigSettings(models.TransientModel): seqs = [ 'product.product', ] - return self.remove_app_data(to_removes, seqs) + return self._remove_app_data(to_removes, seqs) def remove_product_attribute(self): to_removes = [ @@ -151,7 +156,7 @@ class ResConfigSettings(models.TransientModel): 'product.attribute', ] seqs = [] - return self.remove_app_data(to_removes, seqs) + return self._remove_app_data(to_removes, seqs) def remove_pos(self): to_removes = [ @@ -164,12 +169,12 @@ class ResConfigSettings(models.TransientModel): seqs = [ 'pos.', ] - res = self.remove_app_data(to_removes, seqs) + res = self._remove_app_data(to_removes, seqs) # 更新要关帐的值,因为 store=true 的计算字段要重置 try: - statement = self.env['account.bank.statement'].sudo().search([]) + statement = self.env['account.bank.statement'].search([]) for s in statement: s._end_balance() except Exception as e: @@ -187,7 +192,7 @@ class ResConfigSettings(models.TransientModel): seqs = [ 'purchase.', ] - return self.remove_app_data(to_removes, seqs) + return self._remove_app_data(to_removes, seqs) def remove_expense(self): to_removes = [ @@ -200,7 +205,7 @@ class ResConfigSettings(models.TransientModel): seqs = [ 'hr.expense.', ] - return self.remove_app_data(to_removes, seqs) + return self._remove_app_data(to_removes, seqs) def remove_mrp(self): to_removes = [ @@ -219,7 +224,7 @@ class ResConfigSettings(models.TransientModel): seqs = [ 'mrp.', ] - return self.remove_app_data(to_removes, seqs) + return self._remove_app_data(to_removes, seqs) def remove_mrp_bom(self): to_removes = [ @@ -228,7 +233,7 @@ class ResConfigSettings(models.TransientModel): 'mrp.bom', ] seqs = [] - return self.remove_app_data(to_removes, seqs) + return self._remove_app_data(to_removes, seqs) def remove_inventory(self): to_removes = [ @@ -256,7 +261,7 @@ class ResConfigSettings(models.TransientModel): 'product.tracking.default', 'WH/', ] - return self.remove_app_data(to_removes, seqs) + return self._remove_app_data(to_removes, seqs) def remove_account(self): to_removes = [ @@ -277,7 +282,7 @@ class ResConfigSettings(models.TransientModel): 'hr.expense.sheet', 'account.move', ] - res = self.remove_app_data(to_removes, []) + res = self._remove_app_data(to_removes, []) # extra 更新序号 domain = [ @@ -393,7 +398,7 @@ class ResConfigSettings(models.TransientModel): seqs = [] - res = self.remove_app_data(to_removes, seqs) + res = self._remove_app_data(to_removes, seqs) return res def remove_project(self): @@ -412,7 +417,7 @@ class ResConfigSettings(models.TransientModel): 'project.task.stage.personal', ] seqs = [] - return self.remove_app_data(to_removes, seqs) + return self._remove_app_data(to_removes, seqs) def remove_quality(self): to_removes = [ @@ -431,7 +436,7 @@ class ResConfigSettings(models.TransientModel): 'quality.alert', # 'quality.point', ] - return self.remove_app_data(to_removes, seqs) + return self._remove_app_data(to_removes, seqs) def remove_quality_setting(self): to_removes = [ @@ -443,7 +448,7 @@ class ResConfigSettings(models.TransientModel): 'quality.reason', 'quality.tag', ] - return self.remove_app_data(to_removes) + return self._remove_app_data(to_removes) def remove_website(self): to_removes = [ @@ -464,7 +469,7 @@ class ResConfigSettings(models.TransientModel): # 'website', ] seqs = [] - return self.remove_app_data(to_removes, seqs) + return self._remove_app_data(to_removes, seqs) def remove_message(self): to_removes = [ @@ -474,7 +479,7 @@ class ResConfigSettings(models.TransientModel): 'mail.activity', ] seqs = [] - return self.remove_app_data(to_removes, seqs) + return self._remove_app_data(to_removes, seqs) def remove_workflow(self): to_removes = [ @@ -483,7 +488,7 @@ class ResConfigSettings(models.TransientModel): # 'wkf.instance', ] seqs = [] - return self.remove_app_data(to_removes, seqs) + return self._remove_app_data(to_removes, seqs) def remove_all_biz(self): self.remove_account() @@ -519,7 +524,7 @@ class ResConfigSettings(models.TransientModel): return True def action_set_app_doc_root_to_my(self): - base_url = self.env['ir.config_parameter'].sudo().get_param('web.base.url') + base_url = self.env['ir.config_parameter'].get_param('web.base.url') self.app_doc_root_url = base_url # def action_set_all_to_app_doc_root_url(self): diff --git a/app_odoo_customize/static/description/index.html b/app_odoo_customize/static/description/index.html index 0fab14cc..3dee3c53 100644 --- a/app_odoo_customize/static/description/index.html +++ b/app_odoo_customize/static/description/index.html @@ -20,7 +20,7 @@
-

This is a Long Term Support Apps.Update: v17.24.03.01

+

This is a Long Term Support Apps.Update: v17.24.03.11

  • 1. Deletes Odoo label in footer