[FIX] web,(various): don't pollute session_info for portal users

The `session_info` dictionnary is used to bootstrap some JS code client side (usually in the backend). It includes relevant information, such as some parameters key for the OdooBot onboarding, the Enterprise subscription expiration alert, etc. to avoid triggering a lot of RPC calls upon webclient start. `session_info` is also called by the remote authentication mechanism located at `/web/session/authenticate`, which can be used by external mechanism to obtain a valid session remotely. Revision odoo/odoo@8a28cc2 introduced the concept of cache keys for some oft-requested data (such as menus, translations and dynamic qweb templates) to avoid requesting them on each webclient start, since they tend not to change often. Unfortunately, it introduced a read on the ir.ui.menu model that raised an `AccessError` if the authenticating user was not a member of the `base.group_user` group ('Internal' user type). While fixing that issue, it became apparent that `session_info` returns a whole lot of information through this remote connection route which is entirely unnecessary if not used in the context of a webclient start, such a currencies, the state of the enterprise subscription, etc. This commit fixes the access right issue by removing this non-relevant information from the returned dict (including cache keys) if the user is not an internal one. closes odoo/odoo#40770 X-original-commit: 6e99ac2c Related: odoo/enterprise#6860 Signed-off-by: Damien Bouvy (dbo) <dbo@odoo.com>

[FIX] web,(various): don't pollute session_info for portal users
d2b02cab · Damien Bouvy · a7a9362e · d2b02cab · d2b02cab · d2b02cab
Commit d2b02cab authored 5 years ago by Damien Bouvy
--- a/addons/barcodes/models/ir_http.py
+++ b/addons/barcodes/models/ir_http.py
@@ -9,6 +9,7 @@ class IrHttp(models.AbstractModel):

    def session_info(self):
        res = super(IrHttp, self).session_info()
-        res['max_time_between_keys_in_ms'] = int(
-            self.env['ir.config_parameter'].sudo().get_param('barcode.max_time_between_keys_in_ms', default='55'))
+        if self.env.user.has_group('base.group_user'):
+            res['max_time_between_keys_in_ms'] = int(
+                self.env['ir.config_parameter'].sudo().get_param('barcode.max_time_between_keys_in_ms', default='55'))
        return res
--- a/addons/base_setup/models/ir_http.py
+++ b/addons/base_setup/models/ir_http.py
@@ -9,5 +9,6 @@ class IrHttp(models.AbstractModel):

    def session_info(self):
        result = super(IrHttp, self).session_info()
-        result['show_effect'] = request.env['ir.config_parameter'].sudo().get_param('base_setup.show_effect')
+        if request.env.user.has_group('base.group_user'):
+            result['show_effect'] = request.env['ir.config_parameter'].sudo().get_param('base_setup.show_effect')
        return result
--- a/addons/hr_timesheet/models/ir_http.py
+++ b/addons/hr_timesheet/models/ir_http.py
@@ -12,10 +12,10 @@ class Http(models.AbstractModel):
            widget to apply, depending on th ecurrent company.
        """
        result = super(Http, self).session_info()
+        if self.env.user.has_group('base.group_user'):
+            company = self.env.company
+            encoding_uom = company.timesheet_encode_uom_id

-        company = self.env.company
-        encoding_uom = company.timesheet_encode_uom_id
-
-        result['timesheet_uom'] = encoding_uom.read(['name', 'rounding', 'timesheet_widget'])[0]
-        result['timesheet_uom_factor'] = company.project_time_mode_id._compute_quantity(1.0, encoding_uom, round=False)  # convert encoding uom into stored uom to get conversion factor
+            result['timesheet_uom'] = encoding_uom.read(['name', 'rounding', 'timesheet_widget'])[0]
+            result['timesheet_uom_factor'] = company.project_time_mode_id._compute_quantity(1.0, encoding_uom, round=False)  # convert encoding uom into stored uom to get conversion factor
        return result
--- a/addons/mail/models/ir_http.py
+++ b/addons/mail/models/ir_http.py
@@ -11,5 +11,6 @@ class IrHttp(models.AbstractModel):
    def session_info(self):
        user = request.env.user
        result = super(IrHttp, self).session_info()
-        result['out_of_office_message'] = user.out_of_office_message
+        if self.env.user.has_group('base.group_user'):
+            result['out_of_office_message'] = user.out_of_office_message
        return result
--- a/addons/mail_bot/models/ir_http.py
+++ b/addons/mail_bot/models/ir_http.py
@@ -9,5 +9,6 @@ class Http(models.AbstractModel):

    def session_info(self):
        res = super(Http, self).session_info()
-        res['odoobot_initialized'] = self.env.user.odoobot_state != 'not_initialized'
+        if self.env.user.has_group('base.group_user'):
+            res['odoobot_initialized'] = self.env.user.odoobot_state != 'not_initialized'
        return res
--- a/addons/web/models/ir_http.py
+++ b/addons/web/models/ir_http.py
@@ -27,22 +27,7 @@ class Http(models.AbstractModel):

        user_context = request.session.get_context() if request.session.uid else {}

-        mods = module_boot()
-        qweb_checksum = HomeStaticTemplateHelpers.get_qweb_templates_checksum(addons=mods, debug=request.session.debug)
-
-        lang = user_context.get("lang")
-        translations_per_module, lang_params = request.env['ir.translation'].get_translations_for_webclient(mods, lang)
-        translation_cache = {
-            'lang': lang,
-            'lang_parameters': lang_params,
-            'modules': translations_per_module,
-            'multi_lang': len(request.env['res.lang'].sudo().get_installed()) > 1,
-        }
-
-        menu_json_utf8 = json.dumps(request.env['ir.ui.menu'].load_menus(request.session.debug), default=ustr, sort_keys=True).encode()
-        translations_json_utf8 = json.dumps(translation_cache, sort_keys=True).encode()
-
-        return {
+        session_info = {
            "uid": request.session.uid,
            "is_system": user._is_system() if request.session.uid else False,
            "is_admin": user._is_admin() if request.session.uid else False,
@@ -55,18 +40,39 @@ class Http(models.AbstractModel):
            "partner_display_name": user.partner_id.display_name,
            "company_id": user.company_id.id if request.session.uid else None,  # YTI TODO: Remove this from the user context
            "partner_id": user.partner_id.id if request.session.uid and user.partner_id else None,
-            # current_company should be default_company
-            "user_companies": {'current_company': (user.company_id.id, user.company_id.name), 'allowed_companies': [(comp.id, comp.name) for comp in user.company_ids]},
-            "currencies": self.get_currencies() if request.session.uid else {},
            "web.base.url": self.env['ir.config_parameter'].sudo().get_param('web.base.url', default=''),
-            "show_effect": True,
-            "display_switch_company_menu": user.has_group('base.group_multi_company') and len(user.company_ids) > 1,
-            "cache_hashes": {
-                "load_menus": hashlib.sha512(menu_json_utf8).hexdigest()[:64],  # sha512/256
-                "qweb": qweb_checksum,
-                "translations": hashlib.sha512(translations_json_utf8).hexdigest()[:64],  # sha512/256
-            },
        }
+        if self.env.user.has_group('base.group_user'):
+            # the following is only useful in the context of a webclient bootstrapping
+            # but is still included in some other calls (e.g. '/web/session/authenticate')
+            # to avoid access errors and unnecessary information, it is only included for users
+            # with access to the backend ('internal'-type users)
+            mods = module_boot()
+            qweb_checksum = HomeStaticTemplateHelpers.get_qweb_templates_checksum(addons=mods, debug=request.session.debug)
+            lang = user_context.get("lang")
+            translations_per_module, lang_params = request.env['ir.translation'].get_translations_for_webclient(mods, lang)
+            translation_cache = {
+                'lang': lang,
+                'lang_parameters': lang_params,
+                'modules': translations_per_module,
+                'multi_lang': len(request.env['res.lang'].sudo().get_installed()) > 1,
+            }
+            menu_json_utf8 = json.dumps(request.env['ir.ui.menu'].load_menus(request.session.debug), default=ustr, sort_keys=True).encode()
+            translations_json_utf8 = json.dumps(translation_cache, sort_keys=True).encode()
+            cache_hashes = {
+                "load_menus": hashlib.sha512(menu_json_utf8).hexdigest()[:64], # sha512/256
+                "qweb": qweb_checksum,
+                "translations": hashlib.sha512(translations_json_utf8).hexdigest()[:64], # sha512/256
+            }
+            session_info.update({
+                # current_company should be default_company
+                "user_companies": {'current_company': (user.company_id.id, user.company_id.name), 'allowed_companies': [(comp.id, comp.name) for comp in user.company_ids]},
+                "currencies": self.get_currencies(),
+                "show_effect": True,
+                "display_switch_company_menu": user.has_group('base.group_multi_company') and len(user.company_ids) > 1,
+                "cache_hashes": cache_hashes,
+            })
+        return session_info

    @api.model
    def get_frontend_session_info(self):