Prevent to send web notifications to other users

Only the admin user (sudo) is allowed to send notifications to other users. The normal users can only send notifications to themselves. This is to prevent attackers to craft malicious notifications and send them to other users using RPC. Correction based on the idea of @hbrunn
2025-02-22 13:21:25 +02:00 · 2018-10-08 10:04:36 +02:00
parent 77c2b42351
commit d21c87f525
4 changed files with 24 additions and 2 deletions
--- a/web_notify/i18n/web_notify.pot
+++ b/web_notify/i18n/web_notify.pot
@@ -29,6 +29,12 @@ msgstr ""
 msgid "Notify Warning Channel Name"
 msgstr ""

+#. module: web_notify
+#: code:addons/web_notify/models/res_users.py:41
+#, python-format
+msgid "Sending a notification to another user is forbidden."
+msgstr ""
+
 #. module: web_notify
 #: model:ir.model,name:web_notify.model_res_users
 msgid "Users"