fix app_odoo_customize 安全

2025-02-23 04:11:36 +02:00 · 2024-03-11 19:23:16 +08:00
parent 85cccab030
commit 61c933cbd1
2 changed files with 37 additions and 2 deletions
--- a/app_odoo_customize/manifest.py
+++ b/app_odoo_customize/manifest.py
@@ -69,7 +69,6 @@ The user can get the help document just by one click.
        'web',
        'mail',
        'web_settings_dashboard',
-        'iap',
        # 'digest',
        # when enterprise
        # 'web_mobile'
--- a/app_odoo_customize/models/app_theme_config_settings.py
+++ b/app_odoo_customize/models/app_theme_config_settings.py
@@ -3,6 +3,7 @@
 import logging

 from odoo import api, fields, models, _
+from odoo.exceptions import UserError

 _logger = logging.getLogger(__name__)

@@ -35,10 +36,17 @@ class ResConfigSettings(models.TransientModel):
    app_account_title = fields.Char('My Odoo.com Account Title')
    app_account_url = fields.Char('My Odoo.com Account Url')

+
+    @api.model
+    def _app_check_sys_op(self):
+        if self.env.user.has_group('base.group_erp_manager'):
+            return True
+        return False
+    
    @api.model
    def get_values(self):
        res = super(ResConfigSettings, self).get_values()
-        ir_config = self.env['ir.config_parameter'].sudo()
+        ir_config = self.env['ir.config_parameter']
        app_system_name = ir_config.get_param('app_system_name', default='odooApp')

        app_show_lang = True if ir_config.get_param('app_show_lang') == "True" else False
@@ -106,6 +114,8 @@ class ResConfigSettings(models.TransientModel):

    @api.multi
    def remove_sales(self):
+        if not self._app_check_sys_op():
+            raise UserError(_('Not allow.'))
        to_removes = [
            # 清除销售单据
            ['sale.order.line', ],
@@ -131,6 +141,8 @@ class ResConfigSettings(models.TransientModel):
        return True

    def remove_product(self):
+        if not self._app_check_sys_op():
+            raise UserError(_('Not allow.'))
        to_removes = [
            # 清除产品数据
            ['product.product', ],
@@ -156,6 +168,8 @@ class ResConfigSettings(models.TransientModel):
        return True

    def remove_product_attribute(self):
+        if not self._app_check_sys_op():
+            raise UserError(_('Not allow.'))
        to_removes = [
            # 清除产品属性
            ['product.attribute.value', ],
@@ -174,6 +188,8 @@ class ResConfigSettings(models.TransientModel):

    @api.multi
    def remove_pos(self):
+        if not self._app_check_sys_op():
+            raise UserError(_('Not allow.'))
        to_removes = [
            # 清除POS单据
            ['pos.order.line', ],
@@ -200,6 +216,8 @@ class ResConfigSettings(models.TransientModel):

    @api.multi
    def remove_purchase(self):
+        if not self._app_check_sys_op():
+            raise UserError(_('Not allow.'))
        to_removes = [
            # 清除采购单据
            ['purchase.order.line', ],
@@ -228,6 +246,8 @@ class ResConfigSettings(models.TransientModel):

    @api.multi
    def remove_mrp(self):
+        if not self._app_check_sys_op():
+            raise UserError(_('Not allow.'))
        to_removes = [
            # 清除生产单据
            ['mrp.workcenter.productivity', ],
@@ -262,6 +282,8 @@ class ResConfigSettings(models.TransientModel):

    @api.multi
    def remove_mrp_bom(self):
+        if not self._app_check_sys_op():
+            raise UserError(_('Not allow.'))
        to_removes = [
            # 清除生产BOM
            ['mrp.bom.line', ],
@@ -280,6 +302,8 @@ class ResConfigSettings(models.TransientModel):

    @api.multi
    def remove_inventory(self):
+        if not self._app_check_sys_op():
+            raise UserError(_('Not allow.'))
        to_removes = [
            # 清除库存单据
            ['stock.quant', ],
@@ -346,6 +370,8 @@ class ResConfigSettings(models.TransientModel):

    @api.multi
    def remove_account(self):
+        if not self._app_check_sys_op():
+            raise UserError(_('Not allow.'))
        to_removes = [
            # 清除财务会计单据
            ['account.voucher.line', ],
@@ -414,6 +440,8 @@ class ResConfigSettings(models.TransientModel):

    @api.multi
    def remove_account_chart(self):
+        if not self._app_check_sys_op():
+            raise UserError(_('Not allow.'))
        to_removes = [
            # 清除财务科目，用于重设
            ['account.tax.account.tag', ],
@@ -447,6 +475,8 @@ class ResConfigSettings(models.TransientModel):

    @api.multi
    def remove_project(self):
+        if not self._app_check_sys_op():
+            raise UserError(_('Not allow.'))
        to_removes = [
            # 清除项目
            ['account.analytic.line', ],
@@ -468,6 +498,8 @@ class ResConfigSettings(models.TransientModel):

    @api.multi
    def remove_message(self):
+        if not self._app_check_sys_op():
+            raise UserError(_('Not allow.'))
        to_removes = [
            # 清除消息数据
            ['mail.message', ],
@@ -486,6 +518,8 @@ class ResConfigSettings(models.TransientModel):

    @api.multi
    def remove_workflow(self):
+        if not self._app_check_sys_op():
+            raise UserError(_('Not allow.'))
        to_removes = [
            # 清除工作流
            ['wkf.workitem', ],
@@ -505,6 +539,8 @@ class ResConfigSettings(models.TransientModel):

    @api.multi
    def remove_all_biz(self):
+        if not self._app_check_sys_op():
+            raise UserError(_('Not allow.'))
        try:
            self.remove_account()
            self.remove_inventory()