Prevent URL manipulation in portal for vps

2024-08-05 00:01:31 +02:00
parent da325f0c79
commit 44a91358ff
6 changed files with 60 additions and 20 deletions
--- a/ow_vm_management/controllers/pycache/portal.cpython-39.pyc
+++ b/ow_vm_management/controllers/pycache/portal.cpython-39.pyc
--- a/ow_vm_management/controllers/portal.py
+++ b/ow_vm_management/controllers/portal.py
@@ -1,27 +1,30 @@
 from odoo import http, _
-from odoo.exceptions import AccessError, MissingError
+from odoo.exceptions import AccessError
 from odoo.http import request
 from odoo.addons.portal.controllers.portal import CustomerPortal, pager as portal_pager
 from odoo.osv.expression import OR

-class CustomerPortalVPS(CustomerPortal):
+class VPSPortal(CustomerPortal):

    def _prepare_home_portal_values(self, counters):
        values = super()._prepare_home_portal_values(counters)
+        partner = request.env.user.partner_id
+        VPSServer = request.env['vps.server']
        if 'vps_server_count' in counters:
-            values['vps_server_count'] = request.env['vps.server'].search_count([('customer_id', '=', request.env.user.partner_id.id)])
+            values['vps_server_count'] = VPSServer.search_count([('customer_id', '=', partner.id)])
        return values

    @http.route(['/my/vps-servers', '/my/vps-servers/page/<int:page>'], type='http', auth="user", website=True)
    def portal_my_vps_servers(self, page=1, date_begin=None, date_end=None, sortby=None, **kw):
        values = self._prepare_portal_layout_values()
+        partner = request.env.user.partner_id
        VPSServer = request.env['vps.server']

-        domain = [('customer_id', '=', request.env.user.partner_id.id)]
+        domain = [('customer_id', '=', partner.id)]

        searchbar_sortings = {
            'name': {'label': _('Name'), 'order': 'name'},
-            'ip_address': {'label': _('IP Address'), 'order': 'ip_address'},
+            'state': {'label': _('State'), 'order': 'state'},
        }

        if not sortby:
@@ -62,28 +65,43 @@ class CustomerPortalVPS(CustomerPortal):
        })
        return request.render("ow_vm_management.portal_my_vps_servers", values)

-    @http.route(['/my/vps/<int:vps_id>/restart'], type='http', auth="user", website=True)
-    def portal_restart_vps(self, vps_id, **kw):
+    @http.route(['/my/vps-servers/<int:vps_id>'], type='http', auth="user", website=True)
+    def portal_my_vps_server(self, vps_id, **kw):
        try:
-            vps_sudo = request.env['vps.server'].sudo().browse(vps_id)
-            vps_sudo.action_restart_from_portal()
-            return request.redirect(vps_sudo.get_portal_url())
+            vps_sudo = self._document_check_access('vps.server', vps_id)
        except AccessError:
            return request.redirect('/my')
-        
-    @http.route(['/my/vps-servers/<int:vps_server_id>'], type='http', auth="user", website=True)
-    def portal_my_vps_server(self, vps_server_id=None, access_token=None, **kw):
-        try:
-            vps_server_sudo = self._document_check_access('vps.server', vps_server_id, access_token)
-        except (AccessError, MissingError):
+
+        if vps_sudo.customer_id.id != request.env.user.partner_id.id:
            return request.redirect('/my')

-        values = self._vps_server_get_page_view_values(vps_server_sudo, access_token, **kw)
+        values = self._vps_server_get_page_view_values(vps_sudo, **kw)
        return request.render("ow_vm_management.portal_vps_server_page", values)

-    def _vps_server_get_page_view_values(self, vps_server, access_token, **kwargs):
+    def _vps_server_get_page_view_values(self, vps_server, access_token=None, **kwargs):
        values = {
            'page_name': 'vps_server',
            'vps_server': vps_server,
        }
-        return self._get_page_view_values(vps_server, access_token, values, 'my_vps_servers_history', False, **kwargs)
+        return self._get_page_view_values(vps_server, access_token, values, 'my_vps_servers_history', False, **kwargs)
+
+    @http.route(['/my/vps/<int:vps_id>/restart'], type='http', auth="user", website=True)
+    def portal_restart_vps(self, vps_id, **kw):
+        try:
+            vps_sudo = self._document_check_access('vps.server', vps_id)
+            if vps_sudo.customer_id.id != request.env.user.partner_id.id:
+                return request.redirect('/my')
+            vps_sudo.action_restart_from_portal()
+            return request.redirect(vps_sudo.get_portal_url())
+        except AccessError:
+            return request.redirect('/my')
+
+    def _document_check_access(self, model_name, document_id, access_token=None):
+        document = request.env[model_name].sudo().browse(document_id)
+        document_sudo = document.with_user(request.env.user).sudo()
+        try:
+            document_sudo.check_access_rights('read')
+            document_sudo.check_access_rule('read')
+        except AccessError:
+            raise
+        return document_sudo