1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
Description: Enforce record rules when only reading fields without an SQL type.
This patch fixes the information disclosure leak when reading from
function fields with record rules
https://discuss.tryton.org/t/security-release-for-issue-12428/6397
Author: Cédric Krier <cedric.krier@b2ck.com>
Bug: https://foss.heptapod.net/tryton/tryton/-/issues/12428
--- a/trytond/model/modelsql.py
+++ b/trytond/model/modelsql.py
@@ -768,7 +768,7 @@
Coalesce(table.write_date, table.create_date)
).cast(sql_type).as_('_timestamp'))
- if len(columns):
+ if len(columns) or domain:
if 'id' not in fields_names:
columns.append(table.id.as_('id'))
--- a/trytond/tests/test_rule.py
+++ b/trytond/tests/test_rule.py
@@ -320,6 +320,33 @@
TestRule.read([test.id], ['field'])
@with_transaction(context=_context)
+ def test_perm_read_with_rule_no_sql_type_fail(self):
+ "Test read with rule fail and without SQL type"
+ pool = Pool()
+ TestRule = pool.get('test.rule')
+ RuleGroup = pool.get('ir.rule.group')
+ Model = pool.get('ir.model')
+
+ model, = Model.search([('model', '=', 'test.rule')])
+ rule_group, = RuleGroup.create([{
+ 'name': "Field different from foo",
+ 'model': model.id,
+ 'global_p': True,
+ 'perm_read': True,
+ 'perm_create': False,
+ 'perm_write': False,
+ 'perm_delete': False,
+ 'rules': [('create', [{
+ 'domain': json.dumps(
+ [('field', '!=', 'foo')]),
+ }])],
+ }])
+ test, = TestRule.create([{'field': 'foo'}])
+
+ with self.assertRaisesRegex(AccessError, "Field different from foo"):
+ TestRule.read([test.id], ['rec_name'])
+
+ @with_transaction(context=_context)
def test_search_without_rule(self):
"Test search without rule"
pool = Pool()
|
