[IMP] res_user: security check to prevent users from switching to a company...

[IMP] res_user: security check to prevent users from switching to a company they do not belong to (thanks to xrg for reporting) bzr revid: odo@openerp.com-20100715165935-nlejai33n4m4o7ox

[IMP] res_user: security check to prevent users from switching to a company...
314e1d8f · Olivier Dony · 9b5f933b · 314e1d8f
Commit 314e1d8f authored 14 years ago by Olivier Dony
--- a/bin/addons/base/res/res_user.py
+++ b/bin/addons/base/res/res_user.py
@@ -360,7 +360,9 @@ class users(osv.osv):
                if not (key in self.SELF_WRITEABLE_FIELDS or key.startswith('context_')):
                    break
            else:
-                uid = 1 # safe fields only, so we write as super-user
+                # check that user is not selecting an invalid company_id
+                if 'company_id' not in values or (values.get('company_id') in self.read(cr, uid, uid, ['company_ids'], context=context)['company_ids']):
+                    uid = 1 # safe fields only, so we write as super-user to bypass access rights

        res = super(users, self).write(cr, uid, ids, values, context=context)