From 83aa86d658cf09517c7e6b652b6c73081ccf8cd8 Mon Sep 17 00:00:00 2001
From: RomainLibert <rli@odoo.com>
Date: Mon, 14 May 2018 15:35:41 +0200
Subject: [PATCH] [IMP] website_event: avoid reading of emails

The new route make_event_ics_file received a list of attendee ids and was sending
the emails associated with these in an ics file, this could potentially
give out some information about the attendees.

(see commit 7862b2b71cab2f2e86439fee9483b972a51783f6)

Also the method get_ics_file had no reason to be public and so is now
private.

Closes #24711
---
 addons/calendar/models/calendar.py       |  4 ++--
 addons/website_event/controllers/main.py |  9 ++++-----
 addons/website_event/models/event.py     | 11 ++---------
 3 files changed, 8 insertions(+), 16 deletions(-)

diff --git a/addons/calendar/models/calendar.py b/addons/calendar/models/calendar.py
index aab7df959865..9ffc221555b9 100644
--- a/addons/calendar/models/calendar.py
+++ b/addons/calendar/models/calendar.py
@@ -170,7 +170,7 @@ class Attendee(models.Model):
         invitation_template = self.env.ref(template_xmlid)
 
         # get ics file for all meetings
-        ics_files = self.mapped('event_id').get_ics_file()
+        ics_files = self.mapped('event_id')._get_ics_file()
 
         # prepare rendering context for mail template
         colors = {
@@ -946,7 +946,7 @@ class Meeting(models.Model):
     ####################################################
 
     @api.multi
-    def get_ics_file(self):
+    def _get_ics_file(self):
         """ Returns iCalendar file for the event invitation.
             :returns a dict of .ics file content for each meeting
         """
diff --git a/addons/website_event/controllers/main.py b/addons/website_event/controllers/main.py
index d6e03931722b..a06d95002330 100644
--- a/addons/website_event/controllers/main.py
+++ b/addons/website_event/controllers/main.py
@@ -10,7 +10,7 @@ from dateutil.relativedelta import relativedelta
 
 from odoo import fields, http, _
 from odoo.addons.http_routing.models.ir_http import slug
-from odoo.http import request
+from odoo.http import content_disposition, request
 
 
 class WebsiteEventController(http.Controller):
@@ -270,15 +270,14 @@ class WebsiteEventController(http.Controller):
             'iCal_url': urls.get('iCal_url')
         })
 
-    @http.route(['/event/<model("event.event"):event>/ics/<string:name>.ics'], type='http', auth="public", website=True)
+    @http.route(['/event/<model("event.event"):event>/ics'], type='http', auth="public", website=True)
     def make_event_ics_file(self, event, **kwargs):
         if not event or not event.registration_ids:
             return request.not_found()
-        attendee_ids = list(json.loads(kwargs.get('attendees', '{}').replace("'", '"')).values())
-        files = event.get_ics_file(attendee_ids)
+        files = event._get_ics_file()
         content = files[event.id]
         return request.make_response(content, [
             ('Content-Type', 'application/octet-stream'),
             ('Content-Length', len(content)),
-            ('Content-Disposition', 'attachment; filename=' + event.name + '.ics')
+            ('Content-Disposition', content_disposition('%s.ics' % event.name))
         ])
diff --git a/addons/website_event/models/event.py b/addons/website_event/models/event.py
index 573f8b34fbac..b9ddc4fbeda3 100644
--- a/addons/website_event/models/event.py
+++ b/addons/website_event/models/event.py
@@ -136,7 +136,7 @@ class Event(models.Model):
         }
 
     @api.multi
-    def get_ics_file(self, attendee_ids):
+    def _get_ics_file(self):
         """ Returns iCalendar file for the event invitation.
             :returns a dict of .ics file content for each event
         """
@@ -157,10 +157,6 @@ class Event(models.Model):
             if event.address_id:
                 cal_event.add('location').value = event.sudo().address_id.contact_address
 
-            attendees = self.env['event.registration'].browse(attendee_ids)
-            for attendee in attendees:
-                attendee_add = cal_event.add('attendee')
-                attendee_add.value = u'MAILTO:' + (attendee.email or u'')
             result[event.id] = cal.serialize().encode('utf-8')
         return result
 
@@ -175,8 +171,5 @@ class Event(models.Model):
             'details': self.name,
         })
         google_url = GOOGLE_CALENDAR_URL + params
-        params = werkzeug.url_encode({
-            'attendees': dict(('attendee_%s' % attendee, attendee) for attendee in attendees)
-        })
-        iCal_url = '/event/%s/ics/%s.ics?' % (slug(self), self.name) + params
+        iCal_url = '/event/%s/ics?%s' % (slug(self), params)
         return {'google_url': google_url, 'iCal_url': iCal_url}
-- 
GitLab