-
-
Notifications
You must be signed in to change notification settings - Fork 471
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add safety to prevent crafting queue.job records
As we can delay a job on any method, and the queue.job model is accessible from RPC (as any model), prevent to: * create a queue.job using RPC * write on protected fields (e.g. method name) using RPC Admittedly, the risk is low since users need have Queue Job Manager access to create/write on jobs, but it would allow these users to call internal methods. The check is done using a context key that must be equal to a sentinel object, which is impossible to pass through RPC.
- Loading branch information
Showing
4 changed files
with
83 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
# copyright 2020 Camptocamp | ||
# license lgpl-3.0 or later (http://www.gnu.org/licenses/lgpl.html) | ||
|
||
from odoo import exceptions | ||
from odoo.tests import common | ||
|
||
|
||
class TestJobWriteProtected(common.SavepointCase): | ||
|
||
def test_create_error(self): | ||
with self.assertRaises(exceptions.AccessError): | ||
self.env["queue.job"].create({ | ||
"uuid": "test", | ||
"model_name": "res.partner", | ||
"method_name": "write" | ||
}) | ||
|
||
def test_write_protected_field_error(self): | ||
job_ = self.env["res.partner"].with_delay().create({ | ||
"name": "test", | ||
}) | ||
db_job = job_.db_record() | ||
with self.assertRaises(exceptions.AccessError): | ||
db_job.method_name = "unlink" | ||
|
||
def test_write_allow_no_protected_field_error(self): | ||
job_ = self.env["res.partner"].with_delay().create({ | ||
"name": "test", | ||
}) | ||
db_job = job_.db_record() | ||
with self.assertRaises(exceptions.AccessError): | ||
db_job.priority = 30 |