From 4e659025f5109b022df81ead2f1537cc30863e38 Mon Sep 17 00:00:00 2001 From: Ivan Office Date: Mon, 11 Mar 2024 19:19:54 +0800 Subject: [PATCH] update security --- app_odoo_customize/__manifest__.py | 3 +- .../models/res_config_settings.py | 72 ++++++++++++------- 2 files changed, 46 insertions(+), 29 deletions(-) diff --git a/app_odoo_customize/__manifest__.py b/app_odoo_customize/__manifest__.py index e59fe4bb..770ca5b6 100644 --- a/app_odoo_customize/__manifest__.py +++ b/app_odoo_customize/__manifest__.py @@ -23,7 +23,7 @@ { 'name': 'Customize odoo OEM (Boost, My Odoo)', - 'version': '12.22.03.01', + 'version': '12.24.03.11', 'author': 'odooai.cn', 'category': 'Productivity', 'website': 'https://www.odooai.cn', @@ -80,7 +80,6 @@ 'web', 'mail', 'web_settings_dashboard', - 'iap', # 'digest', # when enterprise # 'web_mobile' diff --git a/app_odoo_customize/models/res_config_settings.py b/app_odoo_customize/models/res_config_settings.py index 30d68b6b..bad0cf52 100644 --- a/app_odoo_customize/models/res_config_settings.py +++ b/app_odoo_customize/models/res_config_settings.py @@ -3,6 +3,7 @@ import logging from odoo import api, fields, models, _ +from odoo.exceptions import UserError _logger = logging.getLogger(__name__) @@ -33,6 +34,13 @@ class ResConfigSettings(models.TransientModel): app_account_url = fields.Char('My Odoo.com Account Url') app_enterprise_url = fields.Char('Customize Module Url(eg. Enterprise)') + + @api.model + def _app_check_sys_op(self): + if self.env.user.has_group('base.group_erp_manager'): + return True + return False + @api.model def get_values(self): res = super(ResConfigSettings, self).get_values() @@ -83,7 +91,7 @@ class ResConfigSettings(models.TransientModel): @api.multi def set_values(self): super(ResConfigSettings, self).set_values() - ir_config = self.env['ir.config_parameter'].sudo() + ir_config = self.env['ir.config_parameter'] ir_config.set_param("app_system_name", self.app_system_name or "") ir_config.set_param("app_show_lang", self.app_show_lang or "False") ir_config.set_param("app_show_debug", self.app_show_debug or "False") @@ -106,6 +114,8 @@ class ResConfigSettings(models.TransientModel): ir_config.set_param("app_enterprise_url", self.app_enterprise_url or "https://www.odooai.cn") def set_module_url(self): + if not self._app_check_sys_op(): + raise UserError(_('Not allow.')) sql = "UPDATE ir_module_module SET website = '%s' WHERE license like '%s' and website <> ''" % (self.app_enterprise_url, 'OEEL%') try: self._cr.execute(sql) @@ -113,6 +123,10 @@ class ResConfigSettings(models.TransientModel): pass def remove_sales(self): + if not self._app_check_sys_op(): + raise UserError(_('Not allow.')) + if not self._app_check_sys_op(): + raise UserError(_('Not allow.')) to_removes = [ # 清除销售单据 ['sale.order.line', ], @@ -144,6 +158,8 @@ class ResConfigSettings(models.TransientModel): return True def remove_product(self): + if not self._app_check_sys_op(): + raise UserError(_('Not allow.')) to_removes = [ # 清除产品数据 ['product.product', ], @@ -167,6 +183,8 @@ class ResConfigSettings(models.TransientModel): return True def remove_product_attribute(self): + if not self._app_check_sys_op(): + raise UserError(_('Not allow.')) to_removes = [ # 清除产品属性 ['product.attribute.value', ], @@ -185,6 +203,8 @@ class ResConfigSettings(models.TransientModel): @api.multi def remove_pos(self): + if not self._app_check_sys_op(): + raise UserError(_('Not allow.')) to_removes = [ # 清除POS单据 ['pos.order.line', ], @@ -214,6 +234,8 @@ class ResConfigSettings(models.TransientModel): @api.multi def remove_purchase(self): + if not self._app_check_sys_op(): + raise UserError(_('Not allow.')) to_removes = [ # 清除采购单据 ['purchase.order.line', ], @@ -244,32 +266,8 @@ class ResConfigSettings(models.TransientModel): @api.multi def remove_expense(self): - to_removes = [ - # 清除采购单据 - ['hr.expense.sheet', ], - ['hr.expense', ], - ] - try: - for line in to_removes: - obj_name = line[0] - obj = self.pool.get(obj_name) - if obj: - sql = "delete from %s" % obj._table - self._cr.execute(sql) - # 更新序号 - seqs = self.env['ir.sequence'].search([ - ('code', '=', 'hr.expense.invoice')]) - for seq in seqs: - seq.write({ - 'number_next': 1, - }) - self._cr.execute(sql) - except Exception as e: - pass # raise Warning(e) - return True - - @api.multi - def remove_expense(self): + if not self._app_check_sys_op(): + raise UserError(_('Not allow.')) to_removes = [ # 清除 ['hr.expense.sheet', ], @@ -298,6 +296,8 @@ class ResConfigSettings(models.TransientModel): @api.multi def remove_mrp(self): + if not self._app_check_sys_op(): + raise UserError(_('Not allow.')) to_removes = [ # 清除生产单据 ['mrp.workcenter.productivity', ], @@ -333,6 +333,8 @@ class ResConfigSettings(models.TransientModel): @api.multi def remove_mrp_bom(self): + if not self._app_check_sys_op(): + raise UserError(_('Not allow.')) to_removes = [ # 清除生产BOM ['mrp.bom.line', ], @@ -351,6 +353,8 @@ class ResConfigSettings(models.TransientModel): @api.multi def remove_inventory(self): + if not self._app_check_sys_op(): + raise UserError(_('Not allow.')) to_removes = [ # 清除库存单据 ['stock.quant', ], @@ -402,6 +406,8 @@ class ResConfigSettings(models.TransientModel): @api.multi def remove_account(self): + if not self._app_check_sys_op(): + raise UserError(_('Not allow.')) to_removes = [ # 清除财务会计单据 ['account.voucher.line', ], @@ -452,6 +458,8 @@ class ResConfigSettings(models.TransientModel): @api.multi def remove_account_chart(self): + if not self._app_check_sys_op(): + raise UserError(_('Not allow.')) to_removes = [ # 清除财务科目,用于重设 ['res.partner.bank', ], @@ -530,6 +538,8 @@ class ResConfigSettings(models.TransientModel): @api.multi def remove_project(self): + if not self._app_check_sys_op(): + raise UserError(_('Not allow.')) to_removes = [ # 清除项目 ['account.analytic.line', ], @@ -551,6 +561,8 @@ class ResConfigSettings(models.TransientModel): @api.multi def remove_website(self): + if not self._app_check_sys_op(): + raise UserError(_('Not allow.')) to_removes = [ # 清除网站数据,w, w_blog ['blog.tag.category', ], @@ -579,6 +591,8 @@ class ResConfigSettings(models.TransientModel): @api.multi def remove_message(self): + if not self._app_check_sys_op(): + raise UserError(_('Not allow.')) to_removes = [ # 清除消息数据 ['mail.message', ], @@ -597,6 +611,8 @@ class ResConfigSettings(models.TransientModel): @api.multi def remove_workflow(self): + if not self._app_check_sys_op(): + raise UserError(_('Not allow.')) to_removes = [ # 清除工作流 ['wkf.workitem', ], @@ -616,6 +632,8 @@ class ResConfigSettings(models.TransientModel): @api.multi def remove_all_biz(self): + if not self._app_check_sys_op(): + raise UserError(_('Not allow.')) try: self.remove_account() self.remove_inventory()