Skip to content
This repository has been archived by the owner on Dec 30, 2022. It is now read-only.

Commit

Permalink
Don't allow rpc call on ModelStorage without ModelView
Browse files Browse the repository at this point in the history
CVE-2012-0215
issue2476
review303001
  • Loading branch information
cedk committed Mar 28, 2012
1 parent e7b1f97 commit d059ebb
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 12 deletions.
1 change: 1 addition & 0 deletions CHANGELOG
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
* Don't allow rpc call on ModelStorage without ModelView (CVE-2012-0215)
* Add shared WebDAV
* Remove workflow module
* Simplify workflow engine
Expand Down
26 changes: 14 additions & 12 deletions trytond/model/modelstorage.py
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
from trytond.pool import Pool
from trytond.cache import LRUDict
from trytond.config import CONFIG
from .modelview import ModelView


class ModelStorage(Model):
Expand All @@ -42,18 +43,19 @@ class ModelStorage(Model):

def __init__(self):
super(ModelStorage, self).__init__()
self._rpc.update({
'create': True,
'read': False,
'write': True,
'delete': True,
'copy': True,
'search': False,
'search_count': False,
'search_read': False,
'export_data': False,
'import_data': True,
})
if isinstance(self, ModelView):
self._rpc.update({
'create': True,
'read': False,
'write': True,
'delete': True,
'copy': True,
'search': False,
'search_count': False,
'search_read': False,
'export_data': False,
'import_data': True,
})
self._constraints = []

def default_create_uid(self):
Expand Down

0 comments on commit d059ebb

Please sign in to comment.