[REF] Server Environment: restrict access to server config to allowed users

New security group restricting access to server config Admin is part of the group by default
2018-10-08 11:45:13 +02:00 · 2018-10-08 11:45:13 +02:00 · c7a09c0224
parent fee58c7681
commit c7a09c0224
4 changed files with 28 additions and 3 deletions
--- a/server_environment/README.rst
+++ b/server_environment/README.rst
@ -18,7 +18,8 @@ an environment variable with a fallback on default values in the database.

 The configuration read from the files are visible under the Configuration
 menu.  If you are not in the 'dev' environment you will not be able to
-see the values contained in keys named '*passw*'.
+see the values contained in the defined secret keys
+(by default : '*passw*', '*key*', '*secret*' and '*token*').

 Installation
 ============
--- a/server_environment/manifest.py
+++ b/server_environment/manifest.py
@ -31,6 +31,7 @@
    "license": "GPL-3 or any later version",
    "category": "Tools",
    "data": [
+        'security/res_groups.xml',
        'serv_config.xml',
    ],
    'installable': True,
--- a/server_environment/security/res_groups.xml
+++ b/server_environment/security/res_groups.xml
@ -0,0 +1,10 @@
+<?xml version="1.0"?>
+
+<odoo>
+
+    <record model="res.groups" id="has_server_configuration_access">
+        <field name="name">View Server Environment Configuration</field>
+        <field name="users" eval="[(4, ref('base.user_root'))]"/>
+    </record>
+
+</odoo>
--- a/server_environment/serv_config.py
+++ b/server_environment/serv_config.py
@ -24,7 +24,7 @@ import configparser
 from lxml import etree
 from itertools import chain

-from odoo import api, fields, models
+from odoo import api, models, fields
 from odoo.tools.config import config as system_base_config

 from .system_info import get_server_environment
@ -283,11 +283,24 @@ class ServerConfiguration(models.TransientModel):
            res['fields'] = xfields
        return res

+    @api.model
+    def _is_secret(self, key):
+        """
+        This method is intended to be inherited to defined which keywords
+        should be secret.
+        :return: list of secret keywords
+        """
+        secret_keys = ['passw', 'key', 'secret', 'token']
+        return any(secret_key in key for secret_key in secret_keys)
+
    @api.model
    def default_get(self, fields_list):
        res = {}
+        if not self.env.user.has_group(
+                'server_environment.has_server_configuration_access'):
+            return res
        for key in self._conf_defaults:
-            if 'passw' in key and not self.show_passwords:
+            if not self.show_passwords and self._is_secret(key=key):
                res[key] = '**********'
            else:
                res[key] = self._conf_defaults[key]()