Skip to content
Snippets Groups Projects
Commit 02018563 authored by Thibault Delavallée's avatar Thibault Delavallée
Browse files

[FIX] website_mail: fixed is_follower controller, that could leak data about records. 

Added instead a controller to get alias data. This controller is called by the
discussion group snippet to have the info about the alias.
parent b4adf79e
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
addons/website_mail/controllers/main.py
+ 18
3
View file @ 02018563
...@@ -83,6 +83,7 @@ class WebsiteMail(http.Controller): ...@@ -83,6 +83,7 @@ class WebsiteMail(http.Controller):
'is_user': uid != public_id, 'is_user': uid != public_id,
'email': email, 'email': email,
'is_follower': False, 'is_follower': False,
'alias_name': False,
} }
if not obj: if not obj:
...@@ -97,8 +98,22 @@ class WebsiteMail(http.Controller): ...@@ -97,8 +98,22 @@ class WebsiteMail(http.Controller):
('res_id', '=', obj_ids[0]), ('res_id', '=', obj_ids[0]),
('partner_id', '=', partner_id.id) ('partner_id', '=', partner_id.id)
], context=context)) == 1 ], context=context)) == 1
if post.get('fields'):
record = obj.read(cr, SUPERUSER_ID, obj_ids[0], fields=post.get('fields'), context=context) return values
values.update(record)
@http.route(['/website_mail/get_alias_info'], type='json', auth='public', website=True)
def get_alias_info(self, model, id, **post):
id = int(id)
cr, uid, context = request.cr, request.uid, request.context
obj = request.registry.get(model)
values = {'alias_name': False}
if not obj:
return values
obj_ids = obj.exists(cr, SUPERUSER_ID, [id], context=context)
if obj_ids and 'alias_id' in obj._all_columns:
alias_id = obj.browse(cr, SUPERUSER_ID, obj_ids[0], context=context).alias_id
values['alias_name'] = alias_id and alias_id.alias_domain and '%s@%s' % (alias_id.alias_name, alias_id.alias_domain) or False
return values return values
addons/website_mail/static/src/js/website_mail.js
+ 20
10
View file @ 02018563
...@@ -12,15 +12,12 @@ ...@@ -12,15 +12,12 @@
openerp.jsonRpc('/website_mail/is_follower', 'call', { openerp.jsonRpc('/website_mail/is_follower', 'call', {
model: this.$target.data('object'), model: this.$target.data('object'),
id: this.$target.data('id'), id: this.$target.data('id'),
fields: ['name', 'alias_id'], get_alias_info: true,
}).always(function (data) { }).always(function (data) {
self.is_user = data.is_user; self.is_user = data.is_user;
self.$target.find('.js_mg_email').attr('href', 'mailto:' + data.alias_id[1]); self.email = data.email;
self.$target.find('.js_mg_link').attr('href', '/groups/' + data.id); self.$target.find('.js_mg_link').attr('href', '/groups/' + self.$target.data('id'));
self.toggle_subscription(data.is_follower); self.toggle_subscription(data.is_follower, data.email);
self.$target.find('input.js_follow_email')
.val(data.email ? data.email : "")
.attr("disabled", data.is_follower || (data.email.length && self.is_user) ? "disabled" : false);
self.$target.removeClass("hidden"); self.$target.removeClass("hidden");
}); });
...@@ -51,10 +48,11 @@ ...@@ -51,10 +48,11 @@
'message_is_follower': this.$target.attr("data-follow") || "off", 'message_is_follower': this.$target.attr("data-follow") || "off",
'email': $email.length ? $email.val() : false, 'email': $email.length ? $email.val() : false,
}).then(function (follow) { }).then(function (follow) {
self.toggle_subscription(follow); self.toggle_subscription(follow, self.email);
}); });
}, },
toggle_subscription: function(follow) { toggle_subscription: function(follow, email) {
var alias_done = this.get_alias_info();
if (follow) { if (follow) {
this.$target.find(".js_mg_follow_form").addClass("hidden"); this.$target.find(".js_mg_follow_form").addClass("hidden");
this.$target.find(".js_mg_details").removeClass("hidden"); this.$target.find(".js_mg_details").removeClass("hidden");
...@@ -63,9 +61,21 @@ ...@@ -63,9 +61,21 @@
this.$target.find(".js_mg_follow_form").removeClass("hidden"); this.$target.find(".js_mg_follow_form").removeClass("hidden");
this.$target.find(".js_mg_details").addClass("hidden"); this.$target.find(".js_mg_details").addClass("hidden");
} }
this.$target.find('input.js_follow_email').attr("disabled", follow || this.is_user ? "disabled" : false); this.$target.find('input.js_follow_email')
.val(email ? email : "")
.attr("disabled", follow || (email.length && this.is_user) ? "disabled" : false);
this.$target.attr("data-follow", follow ? 'on' : 'off'); this.$target.attr("data-follow", follow ? 'on' : 'off');
return $.when(alias_done);
}, },
get_alias_info: function() {
var self = this;
return openerp.jsonRpc('/website_mail/get_alias_info', 'call', {
model: this.$target.data('object'),
id: this.$target.data('id'),
}).then(function (data) {
self.$target.find('.js_mg_email').attr('href', 'mailto:' + data.alias_name);
});
}
}); });
$(document).ready(function () { $(document).ready(function () {
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment