def _check_token(cls, token): base_link = request.httprequest.path params = dict(request.params) params.pop('token', '') valid_token = request.env['mail.thread']._generate_notification_token( base_link, params) return consteq(valid_token, str(token))
def execute_callback(self): res = None for transaction in self: # limited sudo env, only for checking callback presence, not for running it! # manual transactions have no callback, and can pass without being run by admin user tx_sudo = transaction.sudo() if not (tx_sudo.callback_model_id and tx_sudo.callback_res_id and tx_sudo.callback_method): continue valid_token = transaction._generate_callback_hash() if not consteq(ustr(valid_token), transaction.callback_hash): _logger.warning( "Invalid callback signature for transaction %d" % (transaction.id)) continue record = self.env[transaction.callback_model_id.model].browse( transaction.callback_res_id).exists() if record: res = getattr(record, transaction.callback_method)(transaction) else: _logger.warning( "Did not found record %s.%s for callback of transaction %d" % (transaction.callback_model_id.model, transaction.callback_res_id, transaction.id)) return res
def _order_check_access(self, order_id, access_token=None): order = request.env['sale.order'].browse([order_id]) order_sudo = order.sudo() try: order.check_access_rights('read') order.check_access_rule('read') except AccessError: if not access_token or not consteq(order_sudo.access_token, access_token): raise return order_sudo
def _stock_picking_check_access(self, picking_id, access_token=None): picking = request.env['stock.picking'].browse([picking_id]) picking_sudo = picking.sudo() try: picking.check_access_rights('read') picking.check_access_rule('read') except exceptions.AccessError: if not access_token or not consteq( picking_sudo.sale_id.access_token, access_token): raise return picking_sudo
def _invoice_check_access(self, invoice_id, access_token=None): invoice = request.env['account.invoice'].browse([invoice_id]) invoice_sudo = invoice.sudo() try: invoice.check_access_rights('read') invoice.check_access_rule('read') except AccessError: if not access_token or not consteq(invoice_sudo.access_token, access_token): raise return invoice_sudo
def mailing(self, mailing_id, email=None, res_id=None, token="", **post): mailing = request.env['mail.mass_mailing'].sudo().browse(mailing_id) if mailing.exists(): res_id = res_id and int(res_id) res_ids = [] if mailing.mailing_model_name == 'mail.mass_mailing.list': contacts = request.env['mail.mass_mailing.contact'].sudo().search([ ('email', '=', email), ('list_ids', 'in', [mailing_list.id for mailing_list in mailing.contact_list_ids]) ]) res_ids = contacts.ids else: res_ids = [res_id] right_token = mailing._unsubscribe_token(res_id, email) if not consteq(str(token), right_token): raise exceptions.AccessDenied() mailing.update_opt_out(email, res_ids, True) return _('You have been unsubscribed successfully')
def _has_token_access(res_model, res_id, token=''): record = request.env[res_model].browse(res_id).sudo() token_field = request.env[res_model]._mail_post_token_field return (token and record and consteq(record[token_field], token))