Browse Source

publish muk_security - 12.0

pull/9/head
MuK IT GmbH 6 years ago
parent
commit
8e50dc1674
  1. 2
      muk_security/__manifest__.py
  2. 96
      muk_security/models/mixins_access_groups.py

2
muk_security/__manifest__.py

@ -20,7 +20,7 @@
{ {
"name": "MuK Security", "name": "MuK Security",
"summary": """Security Features""", "summary": """Security Features""",
"version": "12.0.1.2.0",
"version": "12.0.1.2.1",
"category": "Extra Tools", "category": "Extra Tools",
"license": "AGPL-3", "license": "AGPL-3",
"website": "http://www.mukit.at", "website": "http://www.mukit.at",

96
muk_security/models/mixins_access_groups.py

@ -87,26 +87,29 @@ class AccessGroupsModel(models.AbstractModel):
if self.env.user.id == SUPERUSER_ID or isinstance(self.env.uid, NoSecurityUid): if self.env.user.id == SUPERUSER_ID or isinstance(self.env.uid, NoSecurityUid):
return None return None
where_clause = ''' where_clause = '''
"{table}"."id" IN (
"{table}".id IN (
SELECT r.aid SELECT r.aid
JOIN {table}_complete_groups_rel r JOIN {table}_complete_groups_rel r
JOIN muk_security_access_groups g ON r.gid = g.id JOIN muk_security_access_groups g ON r.gid = g.id
JOIN muk_security_access_groups_users_rel u ON r.gid = u.gid JOIN muk_security_access_groups_users_rel u ON r.gid = u.gid
WHERE (u.uid = %s AND g.perm_{mode} = true)
WHERE u.uid = %s AND g.perm_{mode} = true
) )
'''.format(table=self._table, mode=mode) '''.format(table=self._table, mode=mode)
if not self._access_groups_strict: if not self._access_groups_strict:
or_clause = '''
OR NOT EXISTS (
exists_clause = '''
NOT EXISTS (
SELECT 1 SELECT 1
FROM {table}_complete_groups_rel sr
JOIN muk_security_access_groups sg ON sr.gid = sg.id
WHERE sr.aid = "{table}"."id"
FROM {table}_complete_groups_rel r
JOIN muk_security_access_groups g ON r.gid = g.id
WHERE r.aid = "{table}".id {groups_mode}
)
'''
groups_mode = self._access_groups_mode and 'AND sg.perm_{mode} = true'.format(mode=mode)
exists_clause = exists_clause.format(table=self._table, groups_mode=groups_mode or "")
where_clause = '({groups_clause} OR {exists_clause})'.format(
groups_clause=where_clause,
exists_clause=exists_clause,
) )
'''.format(table=self._table)
if self._access_groups_mode:
or_clause += 'AND sg.perm_{mode} = true'.format(mode=mode)
where_clause += or_clause
query.where_clause += [where_clause] query.where_clause += [where_clause]
query.where_clause_params += [self.env.user.id] query.where_clause_params += [self.env.user.id]
@ -137,7 +140,21 @@ class AccessGroupsModel(models.AbstractModel):
def check_access_groups(self, operation): def check_access_groups(self, operation):
if self.env.user.id == SUPERUSER_ID or isinstance(self.env.uid, NoSecurityUid): if self.env.user.id == SUPERUSER_ID or isinstance(self.env.uid, NoSecurityUid):
return None return None
sql_query = '''
exists_query = '''
SELECT id
FROM {table} a
WHERE NOT EXISTS (
SELECT 1
FROM {table}_complete_groups_rel r
JOIN muk_security_access_groups g ON r.gid = g.id
WHERE r.aid = "{table}".id {groups_mode}
);
'''
groups_mode = self._access_groups_mode and 'AND sg.perm_{mode} = true'.format(mode=mode)
exists_query = exists_query.format(table=self._table, groups_mode=groups_mode or "")
self.env.cr.execute(exists_query)
group_ids = set(self.ids) - set(map(lambda val: val[0], self.env.cr.fetchall()))
group_query = '''
SELECT perm_{operation} SELECT perm_{operation}
FROM {table}_complete_groups_rel r FROM {table}_complete_groups_rel r
JOIN muk_security_access_groups g ON r.gid = g.id JOIN muk_security_access_groups g ON r.gid = g.id
@ -146,36 +163,33 @@ class AccessGroupsModel(models.AbstractModel):
'''.format( '''.format(
operation=operation, operation=operation,
table=self._table, table=self._table,
ids=', '.join(map(lambda id: '(%s)' % id, self.ids)),
)
if not self._access_groups_strict:
or_clause = '''
OR NOT EXISTS (
SELECT 1
FROM {table}_complete_groups_rel sr
JOIN muk_security_access_groups sg ON sr.gid = sg.id
WHERE sr.aid = ANY (VALUES {ids})
ids=', '.join(map(lambda id: '(%s)' % id, group_ids)),
) )
'''.format(
table=self._table,
ids=', '.join(map(lambda id: '(%s)' % id, self.ids))
)
if self._access_groups_mode:
or_clause += 'AND sg.perm_{operation} = true'.format(operation=operation)
sql_query += or_clause
self.env.cr.execute(sql_query, [self.env.user.id]) self.env.cr.execute(sql_query, [self.env.user.id])
result = self.env.cr.fetchall()
if len(result) < self.ids or any(list(map(lambda val: val[0], result))):
if len(result) < group_ids or any(list(map(lambda val: val[0], self.env.cr.fetchall()))):
raise AccessError(_( raise AccessError(_(
'The requested operation cannot be completed due to security restrictions. ' 'The requested operation cannot be completed due to security restrictions. '
'Please contact your system administrator.\n\n(Document type: %s, Operation: %s)' 'Please contact your system administrator.\n\n(Document type: %s, Operation: %s)'
) % (self._description, operation)) ) % (self._description, operation))
@api.multi @api.multi
def filter_access_groups(self, operation): def filter_access_groups(self, operation):
if self.env.user.id == SUPERUSER_ID or isinstance(self.env.uid, NoSecurityUid): if self.env.user.id == SUPERUSER_ID or isinstance(self.env.uid, NoSecurityUid):
return self return self
exists_query = '''
SELECT id
FROM {table} a
WHERE NOT EXISTS (
SELECT 1
FROM {table}_complete_groups_rel r
JOIN muk_security_access_groups g ON r.gid = g.id
WHERE r.aid = "{table}".id {groups_mode}
);
'''
groups_mode = self._access_groups_mode and 'AND sg.perm_{mode} = true'.format(mode=mode)
exists_query = exists_query.format(table=self._table, groups_mode=groups_mode or "")
self.env.cr.execute(exists_query)
group_ids = set(self.ids) - set(map(lambda val: val[0], self.env.cr.fetchall()))
sql_query = ''' sql_query = '''
SELECT r.aid SELECT r.aid
FROM {table}_complete_groups_rel r FROM {table}_complete_groups_rel r
@ -184,27 +198,11 @@ class AccessGroupsModel(models.AbstractModel):
WHERE (r.aid = ANY (VALUES {ids}) AND u.uid = %s AND g.perm_{operation} = true) WHERE (r.aid = ANY (VALUES {ids}) AND u.uid = %s AND g.perm_{operation} = true)
'''.format( '''.format(
table=self._table, table=self._table,
ids=', '.join(map(lambda id: '(%s)' % id, self.ids)),
ids=', '.join(map(lambda id: '(%s)' % id, group_ids)),
operation=operation, operation=operation,
) )
if not self._access_groups_strict:
or_clause = '''
OR NOT EXISTS (
SELECT 1
FROM {table}_complete_groups_rel sr
JOIN muk_security_access_groups sg ON sr.gid = sg.id
WHERE sr.aid = ANY (VALUES {ids})
)
'''.format(
table=self._table,
ids=', '.join(map(lambda id: '(%s)' % id, self.ids))
)
if self._access_groups_mode:
or_clause += 'AND sg.perm_{operation} = true'.format(operation=operation)
sql_query += or_clause
self.env.cr.execute(sql_query, [self.env.user.id]) self.env.cr.execute(sql_query, [self.env.user.id])
result = self.env.cr.fetchall()
return self.browse(list(map(lambda val: val[0], result)))
return self.browse(list(map(lambda val: val[0], self.env.cr.fetchall())) + list(group_ids))
#---------------------------------------------------------- #----------------------------------------------------------
# Create, Update, Delete # Create, Update, Delete

Loading…
Cancel
Save