From c7a09c02242fd3ffa9076fe33a3dd553084a607c Mon Sep 17 00:00:00 2001 From: Thomas Binsfeld Date: Mon, 8 Oct 2018 11:45:13 +0200 Subject: [PATCH] [REF] Server Environment: restrict access to server config to allowed users New security group restricting access to server config Admin is part of the group by default --- server_environment/README.rst | 3 ++- server_environment/__manifest__.py | 1 + server_environment/security/res_groups.xml | 10 ++++++++++ server_environment/serv_config.py | 17 +++++++++++++++-- 4 files changed, 28 insertions(+), 3 deletions(-) create mode 100644 server_environment/security/res_groups.xml diff --git a/server_environment/README.rst b/server_environment/README.rst index 5517d0e..d512efb 100644 --- a/server_environment/README.rst +++ b/server_environment/README.rst @@ -18,7 +18,8 @@ an environment variable with a fallback on default values in the database. The configuration read from the files are visible under the Configuration menu. If you are not in the 'dev' environment you will not be able to -see the values contained in keys named '*passw*'. +see the values contained in the defined secret keys +(by default : '*passw*', '*key*', '*secret*' and '*token*'). Installation ============ diff --git a/server_environment/__manifest__.py b/server_environment/__manifest__.py index 15a7510..065af45 100644 --- a/server_environment/__manifest__.py +++ b/server_environment/__manifest__.py @@ -31,6 +31,7 @@ "license": "GPL-3 or any later version", "category": "Tools", "data": [ + 'security/res_groups.xml', 'serv_config.xml', ], 'installable': True, diff --git a/server_environment/security/res_groups.xml b/server_environment/security/res_groups.xml new file mode 100644 index 0000000..1297fbf --- /dev/null +++ b/server_environment/security/res_groups.xml @@ -0,0 +1,10 @@ + + + + + + View Server Environment Configuration + + + + diff --git a/server_environment/serv_config.py b/server_environment/serv_config.py index 4af4061..e695b99 100644 --- a/server_environment/serv_config.py +++ b/server_environment/serv_config.py @@ -24,7 +24,7 @@ import configparser from lxml import etree from itertools import chain -from odoo import api, fields, models +from odoo import api, models, fields from odoo.tools.config import config as system_base_config from .system_info import get_server_environment @@ -283,11 +283,24 @@ class ServerConfiguration(models.TransientModel): res['fields'] = xfields return res + @api.model + def _is_secret(self, key): + """ + This method is intended to be inherited to defined which keywords + should be secret. + :return: list of secret keywords + """ + secret_keys = ['passw', 'key', 'secret', 'token'] + return any(secret_key in key for secret_key in secret_keys) + @api.model def default_get(self, fields_list): res = {} + if not self.env.user.has_group( + 'server_environment.has_server_configuration_access'): + return res for key in self._conf_defaults: - if 'passw' in key and not self.show_passwords: + if not self.show_passwords and self._is_secret(key=key): res[key] = '**********' else: res[key] = self._conf_defaults[key]()