Prevent URL manipulation in portal for vps

2024-08-05 00:01:31 +02:00
parent da325f0c79
commit 44a91358ff
6 changed files with 60 additions and 20 deletions
--- a/ow_vm_management/manifest.py
+++ b/ow_vm_management/manifest.py
@@ -16,6 +16,7 @@
    ],
    'data': [
        'security/ir.model.access.csv',
+        'security/ir.rule.xml',
        'views/vps_server_views.xml',
        'views/res_partner_views.xml',
        'views/portal_templates.xml',
--- a/ow_vm_management/controllers/pycache/portal.cpython-39.pyc
+++ b/ow_vm_management/controllers/pycache/portal.cpython-39.pyc
--- a/ow_vm_management/controllers/portal.py
+++ b/ow_vm_management/controllers/portal.py
@@ -1,27 +1,30 @@
 from odoo import http, _
-from odoo.exceptions import AccessError, MissingError
+from odoo.exceptions import AccessError
 from odoo.http import request
 from odoo.addons.portal.controllers.portal import CustomerPortal, pager as portal_pager
 from odoo.osv.expression import OR

-class CustomerPortalVPS(CustomerPortal):
+class VPSPortal(CustomerPortal):

    def _prepare_home_portal_values(self, counters):
        values = super()._prepare_home_portal_values(counters)
+        partner = request.env.user.partner_id
+        VPSServer = request.env['vps.server']
        if 'vps_server_count' in counters:
-            values['vps_server_count'] = request.env['vps.server'].search_count([('customer_id', '=', request.env.user.partner_id.id)])
+            values['vps_server_count'] = VPSServer.search_count([('customer_id', '=', partner.id)])
        return values

    @http.route(['/my/vps-servers', '/my/vps-servers/page/<int:page>'], type='http', auth="user", website=True)
    def portal_my_vps_servers(self, page=1, date_begin=None, date_end=None, sortby=None, **kw):
        values = self._prepare_portal_layout_values()
+        partner = request.env.user.partner_id
        VPSServer = request.env['vps.server']

-        domain = [('customer_id', '=', request.env.user.partner_id.id)]
+        domain = [('customer_id', '=', partner.id)]

        searchbar_sortings = {
            'name': {'label': _('Name'), 'order': 'name'},
-            'ip_address': {'label': _('IP Address'), 'order': 'ip_address'},
+            'state': {'label': _('State'), 'order': 'state'},
        }

        if not sortby:
@@ -62,28 +65,43 @@ class CustomerPortalVPS(CustomerPortal):
        })
        return request.render("ow_vm_management.portal_my_vps_servers", values)

-    @http.route(['/my/vps/<int:vps_id>/restart'], type='http', auth="user", website=True)
-    def portal_restart_vps(self, vps_id, **kw):
+    @http.route(['/my/vps-servers/<int:vps_id>'], type='http', auth="user", website=True)
+    def portal_my_vps_server(self, vps_id, **kw):
        try:
-            vps_sudo = request.env['vps.server'].sudo().browse(vps_id)
-            vps_sudo.action_restart_from_portal()
-            return request.redirect(vps_sudo.get_portal_url())
+            vps_sudo = self._document_check_access('vps.server', vps_id)
        except AccessError:
            return request.redirect('/my')

-    @http.route(['/my/vps-servers/<int:vps_server_id>'], type='http', auth="user", website=True)
-    def portal_my_vps_server(self, vps_server_id=None, access_token=None, **kw):
-        try:
-            vps_server_sudo = self._document_check_access('vps.server', vps_server_id, access_token)
-        except (AccessError, MissingError):
+        if vps_sudo.customer_id.id != request.env.user.partner_id.id:
            return request.redirect('/my')

-        values = self._vps_server_get_page_view_values(vps_server_sudo, access_token, **kw)
+        values = self._vps_server_get_page_view_values(vps_sudo, **kw)
        return request.render("ow_vm_management.portal_vps_server_page", values)

-    def _vps_server_get_page_view_values(self, vps_server, access_token, **kwargs):
+    def _vps_server_get_page_view_values(self, vps_server, access_token=None, **kwargs):
        values = {
            'page_name': 'vps_server',
            'vps_server': vps_server,
        }
        return self._get_page_view_values(vps_server, access_token, values, 'my_vps_servers_history', False, **kwargs)
+
+    @http.route(['/my/vps/<int:vps_id>/restart'], type='http', auth="user", website=True)
+    def portal_restart_vps(self, vps_id, **kw):
+        try:
+            vps_sudo = self._document_check_access('vps.server', vps_id)
+            if vps_sudo.customer_id.id != request.env.user.partner_id.id:
+                return request.redirect('/my')
+            vps_sudo.action_restart_from_portal()
+            return request.redirect(vps_sudo.get_portal_url())
+        except AccessError:
+            return request.redirect('/my')
+
+    def _document_check_access(self, model_name, document_id, access_token=None):
+        document = request.env[model_name].sudo().browse(document_id)
+        document_sudo = document.with_user(request.env.user).sudo()
+        try:
+            document_sudo.check_access_rights('read')
+            document_sudo.check_access_rule('read')
+        except AccessError:
+            raise
+        return document_sudo
--- a/ow_vm_management/models/pycache/vps_server.cpython-39.pyc
+++ b/ow_vm_management/models/pycache/vps_server.cpython-39.pyc
--- a/ow_vm_management/models/vps_server.py
+++ b/ow_vm_management/models/vps_server.py
@@ -1,5 +1,5 @@
 from odoo import models, fields, api, _
-from odoo.exceptions import UserError
+from odoo.exceptions import UserError, AccessError
 import requests
 import urllib3
 import ipaddress
@@ -89,6 +89,12 @@ class VPSServer(models.Model):
            status = self._proxmox_request('GET', f'nodes/pve/{vm_type}/{vm_id}/status/current')
            server.state = 'running' if status['data']['status'] == 'running' else 'stopped'

+    def check_access_rule(self, operation):
+        if self.env.user.has_group('base.group_portal'):
+            if operation != 'read' or self.customer_id != self.env.user.partner_id:
+                raise AccessError(_("You don't have access to this VPS server."))
+        return super(VPSServer, self).check_access_rule(operation)
+
    def action_restart_from_portal(self):
        self.ensure_one()
        if self.env.user.partner_id != self.customer_id:
--- a/ow_vm_management/security/ir.rule.xml
+++ b/ow_vm_management/security/ir.rule.xml
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="utf-8"?>
+<odoo>
+    <data noupdate="1">
+        <record id="vps_server_portal_rule" model="ir.rule">
+            <field name="name">Portal user can only see own VPS servers</field>
+            <field name="model_id" ref="model_vps_server"/>
+            <field name="domain_force">[('customer_id', '=', user.partner_id.id)]</field>
+            <field name="groups" eval="[(4, ref('base.group_portal'))]"/>
+            <field name="perm_read" eval="True"/>
+            <field name="perm_write" eval="False"/>
+            <field name="perm_create" eval="False"/>
+            <field name="perm_unlink" eval="False"/>
+        </record>
+    </data>
+</odoo>