[FIX] app_common, app_odoo_customize: security 13

2025-02-23 04:11:36 +02:00 · 2024-03-11 17:27:22 +08:00
parent 0637e4d0c3
commit 7677f839c3
6 changed files with 51 additions and 34 deletions
--- a/app_common/manifest.py
+++ b/app_common/manifest.py
@@ -33,7 +33,7 @@
 {
    'name': "odooai Odooapp Common Func",
-    'version': '13.22.08.21',
+    'version': '13.24.03.11',
    'author': 'odooai.cn',
    'category': 'Base',
    'website': 'https://www.odooai.cn',
--- a/app_common/models/base.py
+++ b/app_common/models/base.py
@@ -51,6 +51,12 @@ EXCLU_FIELDS = [
 class Base(models.AbstractModel):
    _inherit = 'base'
    @api.model
    def _app_check_sys_op(self):
        if self.env.user.has_group('base.group_erp_manager'):
            return True
        return False
    @api.model
    def _get_normal_fields(self):
        f_list = []
@@ -99,7 +105,9 @@ class Base(models.AbstractModel):
        return dt.astimezone(pytz_timezone).strftime(return_format)
    @api.model
-    def get_image_from_url(self, url):
+    def _get_image_from_url(self, url):
        if not self._app_check_sys_op():
            return False
        if not url:
            return None
        try:
--- a/app_common/static/description/index.html
+++ b/app_common/static/description/index.html
@@ -4,7 +4,7 @@
            <h2 class="oe_slogan"> </h2>
            <h3 class="oe_slogan"> </h3>
            <div class="oe_row">
-                <h3>Lastest update: v13.20.01.01</h3>
+                <h3>Lastest update: v13.24.03.11</h3>
                <div class="row">
                    <img class="oe_demo  oe_screenshot"  style="max-height: 100%;" src="banner.png">
                </div>
--- a/app_odoo_customize/manifest.py
+++ b/app_odoo_customize/manifest.py
@@ -23,7 +23,7 @@
 {
    'name': 'odoo Tweak,Boost,Customize,Ai All in One. Customize,UI,Boost,Security,Data,Development Enhance',
-    'version': '13.23.12.28',
+    'version': '13.24.03.11',
    'author': 'odooai.cn',
    'category': 'Productivity',
    'website': 'https://www.odooai.cn',
--- a/app_odoo_customize/models/res_config_settings.py
+++ b/app_odoo_customize/models/res_config_settings.py
@@ -3,7 +3,7 @@
 import logging
 from odoo import api, fields, models, _
-
+from odoo.exceptions import UserError
 _logger = logging.getLogger(__name__)
@@ -106,14 +106,21 @@ class ResConfigSettings(models.TransientModel):
        ir_config.set_param("app_ribbon_name", self.app_ribbon_name or "*odooai.cn")
    def set_module_url(self):
-        sql = "UPDATE ir_module_module SET website = '%s' WHERE license like '%s' and website <> ''" % (self.app_enterprise_url, 'OEEL%')
+        if not self._app_check_sys_op():
-        try:
+            raise UserError(_('Not allow.'))
-            self._cr.execute(sql)
+        config_parameter = self.env['ir.config_parameter'].sudo()
-            self._cr.commit()
+        app_enterprise_url = config_parameter.get_param('app_enterprise_url', 'https://www.odooai.cn')
-        except Exception as e:
+        modules = self.env['ir.module.module'].search([('license', 'like', 'OEEL%'), ('website', '!=', False)])
-            pass
+        if modules:
            sql = "UPDATE ir_module_module SET website = '%s' WHERE id IN %s" % (app_enterprise_url, tuple(modules.ids))
            try:
                self._cr.execute(sql)
            except Exception as e:
                pass
-    def clear_table(self, t_name):
+    def _clear_table(self, t_name):
        if not self._app_check_sys_op():
            raise UserError(_('Not allow.'))
        sql = "delete from %s" % t_name
        # 增加多公司处理
        try:
@@ -125,7 +132,9 @@ class ResConfigSettings(models.TransientModel):
            return False
    # 清数据，o=对象, s=序列 
-    def remove_app_data(self, o, s=[]):
+    def _remove_app_data(self, o, s=[]):
        if not self._app_check_sys_op():
            raise UserError(_('Not allow.'))
        for line in o:
            # 检查是否存在
            try:
@@ -142,7 +151,7 @@ class ResConfigSettings(models.TransientModel):
            else:
                t_name = obj._table
            # todo: 每个项目具体优化
-            self.clear_table(t_name)
+            self._clear_table(t_name)
        # 更新序号
        for line in s:
@@ -173,7 +182,7 @@ class ResConfigSettings(models.TransientModel):
        seqs = [
            'sale',
        ]
-        return self.remove_app_data(to_removes, seqs)
+        return self._remove_app_data(to_removes, seqs)
    def remove_product(self):
        to_removes = [
@@ -184,7 +193,7 @@ class ResConfigSettings(models.TransientModel):
        seqs = [
            'product.product',
        ]
-        return self.remove_app_data(to_removes, seqs)
+        return self._remove_app_data(to_removes, seqs)
    def remove_product_attribute(self):
        to_removes = [
@@ -193,7 +202,7 @@ class ResConfigSettings(models.TransientModel):
            'product.attribute',
        ]
        seqs = []
-        return self.remove_app_data(to_removes, seqs)
+        return self._remove_app_data(to_removes, seqs)
    def remove_pos(self):
        to_removes = [
@@ -206,12 +215,12 @@ class ResConfigSettings(models.TransientModel):
        seqs = [
            'pos.',
        ]
-        res = self.remove_app_data(to_removes, seqs)
+        res = self._remove_app_data(to_removes, seqs)
        # 更新要关帐的值，因为 store=true 的计算字段要重置
        try:
-            statement = self.env['account.bank.statement'].sudo().search([])
+            statement = self.env['account.bank.statement'].search([])
            for s in statement:
                s._end_balance()
        except Exception as e:
@@ -229,7 +238,7 @@ class ResConfigSettings(models.TransientModel):
        seqs = [
            'purchase.',
        ]
-        return self.remove_app_data(to_removes, seqs)
+        return self._remove_app_data(to_removes, seqs)
    def remove_expense(self):
        to_removes = [
@@ -242,7 +251,7 @@ class ResConfigSettings(models.TransientModel):
        seqs = [
            'hr.expense.',
        ]
-        return self.remove_app_data(to_removes, seqs)
+        return self._remove_app_data(to_removes, seqs)
    def remove_mrp(self):
        to_removes = [
@@ -260,7 +269,7 @@ class ResConfigSettings(models.TransientModel):
        seqs = [
            'mrp.',
        ]
-        return self.remove_app_data(to_removes, seqs)
+        return self._remove_app_data(to_removes, seqs)
    def remove_mrp_bom(self):
        to_removes = [
@@ -269,7 +278,7 @@ class ResConfigSettings(models.TransientModel):
            'mrp.bom',
        ]
        seqs = []
-        return self.remove_app_data(to_removes, seqs)
+        return self._remove_app_data(to_removes, seqs)
    def remove_inventory(self):
        to_removes = [
@@ -298,7 +307,7 @@ class ResConfigSettings(models.TransientModel):
            'product.tracking.default',
            'WH/',
        ]
-        return self.remove_app_data(to_removes, seqs)
+        return self._remove_app_data(to_removes, seqs)
    def remove_account(self):
        to_removes = [
@@ -315,7 +324,7 @@ class ResConfigSettings(models.TransientModel):
            'account.reconcile.model.template',
            'account.reconcile.model',
        ]
-        res = self.remove_app_data(to_removes, [])
+        res = self._remove_app_data(to_removes, [])
        # extra 更新序号
        domain = [
@@ -426,9 +435,9 @@ class ResConfigSettings(models.TransientModel):
            pass  # raise Warning(e)
        seqs = []
-        res = self.remove_app_data(to_removes, seqs)
+        res = self._remove_app_data(to_removes, seqs)
        self._cr.commit()
-        self.env.company.sudo().write({'chart_template_id': None})
+        self.env.company.write({'chart_template_id': None})
        return res
    def remove_project(self):
@@ -440,7 +449,7 @@ class ResConfigSettings(models.TransientModel):
            'project.project',
        ]
        seqs = []
-        return self.remove_app_data(to_removes, seqs)
+        return self._remove_app_data(to_removes, seqs)
    def remove_quality(self):
        to_removes = [
@@ -459,7 +468,7 @@ class ResConfigSettings(models.TransientModel):
            'quality.alert',
            # 'quality.point',
        ]
-        return self.remove_app_data(to_removes, seqs)
+        return self._remove_app_data(to_removes, seqs)
    def remove_quality_setting(self):
        to_removes = [
@@ -471,7 +480,7 @@ class ResConfigSettings(models.TransientModel):
            'quality.reason',
            'quality.tag',
        ]
-        return self.remove_app_data(to_removes)
+        return self._remove_app_data(to_removes)
    def remove_website(self):
        to_removes = [
@@ -492,7 +501,7 @@ class ResConfigSettings(models.TransientModel):
            # 'website',
        ]
        seqs = []
-        return self.remove_app_data(to_removes, seqs)
+        return self._remove_app_data(to_removes, seqs)
    def remove_message(self):
        to_removes = [
@@ -504,7 +513,7 @@ class ResConfigSettings(models.TransientModel):
            'bus.bus',
        ]
        seqs = []
-        return self.remove_app_data(to_removes, seqs)
+        return self._remove_app_data(to_removes, seqs)
    def remove_workflow(self):
        to_removes = [
@@ -513,7 +522,7 @@ class ResConfigSettings(models.TransientModel):
            'wkf.instance',
        ]
        seqs = []
-        return self.remove_app_data(to_removes, seqs)
+        return self._remove_app_data(to_removes, seqs)
    def remove_all_biz(self):
        self.remove_account()
--- a/app_odoo_customize/static/description/index.html
+++ b/app_odoo_customize/static/description/index.html
@@ -20,7 +20,7 @@
 <section class="container app">
    <div class="oe_row oe_spaced" style="max-width: 95%;">
        <div class="row">
-            <h2 class="oe_slogan">This is a Long Term Support Apps.Update: v16.5.23.09.30</h2>
+            <h2 class="oe_slogan">This is a Long Term Support Apps.Update: v13.24.03.11</h2>
            <div class="oe_demo" style=" margin: 30px auto 0; padding: 0 15px 0 0; border:none; width: 96%;">
                <ul class="list-group">
                    <li class="list-group-item">1. Deletes Odoo label in footer</li>