From 73d7143e3cfe7151ed0cd58ba5a411f455747d1b Mon Sep 17 00:00:00 2001
From: Chill <chill421@qq.com>
Date: Mon, 11 Mar 2024 18:43:09 +0800
Subject: [PATCH] [FIX] app_odoo_customize: security

---
 app_odoo_customize/__manifest__.py            |  2 +-
 .../models/res_config_settings.py             | 46 ++++++++++---------
 .../static/description/index.html             |  2 +-
 3 files changed, 27 insertions(+), 23 deletions(-)

diff --git a/app_odoo_customize/__manifest__.py b/app_odoo_customize/__manifest__.py
index a4016331..ea513cdb 100644
--- a/app_odoo_customize/__manifest__.py
+++ b/app_odoo_customize/__manifest__.py
@@ -23,7 +23,7 @@
 
 {
     'name': 'Odoo 15,14,13 Customize OEM(Boost, Data reset)',
-    'version': '14.23.12.28',
+    'version': '14.24.03.11',
     'author': 'odooai.cn',
     'category': 'Productivity',
     'website': 'https://www.odooai.cn',
diff --git a/app_odoo_customize/models/res_config_settings.py b/app_odoo_customize/models/res_config_settings.py
index f33deda0..1bfb0f91 100644
--- a/app_odoo_customize/models/res_config_settings.py
+++ b/app_odoo_customize/models/res_config_settings.py
@@ -3,7 +3,7 @@
 import logging
 
 from odoo import api, fields, models, _
-
+from odoo.exceptions import UserError
 _logger = logging.getLogger(__name__)
 
 
@@ -106,6 +106,8 @@ class ResConfigSettings(models.TransientModel):
         ir_config.set_param("app_ribbon_name", self.app_ribbon_name or "*odooai.cn")
     
     def set_module_url(self):
+        if not self._app_check_sys_op():
+            raise UserError(_('Not allow.'))
         sql = "UPDATE ir_module_module SET website = '%s' WHERE license like '%s' and website <> ''" % (self.app_enterprise_url, 'OEEL%')
         try:
             self._cr.execute(sql)
@@ -114,7 +116,9 @@ class ResConfigSettings(models.TransientModel):
             pass
     
     # 清数据，o=对象, s=序列
-    def remove_app_data(self, o, s=[]):
+    def _remove_app_data(self, o, s=[]):
+        if not self._app_check_sys_op():
+            raise UserError(_('Not allow.'))
         for line in o:
             # 检查是否存在
             try:
@@ -166,7 +170,7 @@ class ResConfigSettings(models.TransientModel):
         seqs = [
             'sale',
         ]
-        return self.remove_app_data(to_removes, seqs)
+        return self._remove_app_data(to_removes, seqs)
     
     def remove_product(self):
         to_removes = [
@@ -177,7 +181,7 @@ class ResConfigSettings(models.TransientModel):
         seqs = [
             'product.product',
         ]
-        return self.remove_app_data(to_removes, seqs)
+        return self._remove_app_data(to_removes, seqs)
     
     def remove_product_attribute(self):
         to_removes = [
@@ -186,7 +190,7 @@ class ResConfigSettings(models.TransientModel):
             'product.attribute',
         ]
         seqs = []
-        return self.remove_app_data(to_removes, seqs)
+        return self._remove_app_data(to_removes, seqs)
     
     def remove_pos(self):
         to_removes = [
@@ -199,12 +203,12 @@ class ResConfigSettings(models.TransientModel):
         seqs = [
             'pos.',
         ]
-        res = self.remove_app_data(to_removes, seqs)
+        res = self._remove_app_data(to_removes, seqs)
         
         # 更新要关帐的值，因为 store=true 的计算字段要重置
         
         try:
-            statement = self.env['account.bank.statement'].sudo().search([])
+            statement = self.env['account.bank.statement'].search([])
             for s in statement:
                 s._end_balance()
         except Exception as e:
@@ -222,7 +226,7 @@ class ResConfigSettings(models.TransientModel):
         seqs = [
             'purchase.',
         ]
-        return self.remove_app_data(to_removes, seqs)
+        return self._remove_app_data(to_removes, seqs)
     
     def remove_expense(self):
         to_removes = [
@@ -235,7 +239,7 @@ class ResConfigSettings(models.TransientModel):
         seqs = [
             'hr.expense.',
         ]
-        return self.remove_app_data(to_removes, seqs)
+        return self._remove_app_data(to_removes, seqs)
     
     def remove_mrp(self):
         to_removes = [
@@ -254,7 +258,7 @@ class ResConfigSettings(models.TransientModel):
         seqs = [
             'mrp.',
         ]
-        return self.remove_app_data(to_removes, seqs)
+        return self._remove_app_data(to_removes, seqs)
     
     def remove_mrp_bom(self):
         to_removes = [
@@ -263,7 +267,7 @@ class ResConfigSettings(models.TransientModel):
             'mrp.bom',
         ]
         seqs = []
-        return self.remove_app_data(to_removes, seqs)
+        return self._remove_app_data(to_removes, seqs)
     
     def remove_inventory(self):
         to_removes = [
@@ -292,7 +296,7 @@ class ResConfigSettings(models.TransientModel):
             'product.tracking.default',
             'WH/',
         ]
-        return self.remove_app_data(to_removes, seqs)
+        return self._remove_app_data(to_removes, seqs)
     
     def remove_account(self):
         to_removes = [
@@ -312,7 +316,7 @@ class ResConfigSettings(models.TransientModel):
             'hr.expense.sheet',
             'account.move',
         ]
-        res = self.remove_app_data(to_removes, [])
+        res = self._remove_app_data(to_removes, [])
         
         # extra 更新序号
         domain = [
@@ -423,9 +427,9 @@ class ResConfigSettings(models.TransientModel):
             pass  # raise Warning(e)
         
         seqs = []
-        res = self.remove_app_data(to_removes, seqs)
+        res = self._remove_app_data(to_removes, seqs)
         self._cr.commit()
-        self.env.company.sudo().write({'chart_template_id': None})
+        self.env.company.write({'chart_template_id': None})
         return res
     
     def remove_project(self):
@@ -437,7 +441,7 @@ class ResConfigSettings(models.TransientModel):
             'project.project',
         ]
         seqs = []
-        return self.remove_app_data(to_removes, seqs)
+        return self._remove_app_data(to_removes, seqs)
     
     def remove_quality(self):
         to_removes = [
@@ -456,7 +460,7 @@ class ResConfigSettings(models.TransientModel):
             'quality.alert',
             # 'quality.point',
         ]
-        return self.remove_app_data(to_removes, seqs)
+        return self._remove_app_data(to_removes, seqs)
     
     def remove_quality_setting(self):
         to_removes = [
@@ -468,7 +472,7 @@ class ResConfigSettings(models.TransientModel):
             'quality.reason',
             'quality.tag',
         ]
-        return self.remove_app_data(to_removes)
+        return self._remove_app_data(to_removes)
     
     def remove_website(self):
         to_removes = [
@@ -489,7 +493,7 @@ class ResConfigSettings(models.TransientModel):
             # 'website',
         ]
         seqs = []
-        return self.remove_app_data(to_removes, seqs)
+        return self._remove_app_data(to_removes, seqs)
     
     def remove_message(self):
         to_removes = [
@@ -499,7 +503,7 @@ class ResConfigSettings(models.TransientModel):
             'mail.activity',
         ]
         seqs = []
-        return self.remove_app_data(to_removes, seqs)
+        return self._remove_app_data(to_removes, seqs)
     
     def remove_workflow(self):
         to_removes = [
@@ -508,7 +512,7 @@ class ResConfigSettings(models.TransientModel):
             'wkf.instance',
         ]
         seqs = []
-        return self.remove_app_data(to_removes, seqs)
+        return self._remove_app_data(to_removes, seqs)
     
     def remove_all_biz(self):
         self.remove_account()
diff --git a/app_odoo_customize/static/description/index.html b/app_odoo_customize/static/description/index.html
index d0cb9346..a270950e 100644
--- a/app_odoo_customize/static/description/index.html
+++ b/app_odoo_customize/static/description/index.html
@@ -20,7 +20,7 @@
 <section class="container app">
     <div class="oe_row oe_spaced" style="max-width: 95%;">
         <div class="row">
-            <h2 class="oe_slogan">This is a Long Term Support Apps.Update: v16.5.23.09.30</h2>
+            <h2 class="oe_slogan">This is a Long Term Support Apps.Update: v14.24.03.11</h2>
             <div class="oe_demo" style=" margin: 30px auto 0; padding: 0 15px 0 0; border:none; width: 96%;">
                 <ul class="list-group">
                     <li class="list-group-item">1. Deletes Odoo label in footer</li>