56 lines
2.3 KiB
Python
56 lines
2.3 KiB
Python
|
# -*- coding: utf-8 -*-
|
||
|
|
|
||
|
|
from odoo import models
|
||
|
|
|
||
|
|
|
||
|
|
class IrQweb(models.AbstractModel):
|
||
|
|
"""Add ``raise_on_forbidden_code_for_model`` option for qweb.
|
||
|
|
|
||
|
|
When this option is activated, only a whitelist of expressions
|
||
|
|
is allowed for the given model.
|
||
|
|
"""
|
||
|
|
|
||
|
|
_inherit = "ir.qweb"
|
||
|
|
|
||
|
|
allowed_directives = (
|
||
|
|
"out",
|
||
|
|
"inner-content",
|
||
|
|
"att",
|
||
|
|
"tag-open",
|
||
|
|
"tag-close",
|
||
|
|
)
|
||
|
|
|
||
|
|
def _get_template_cache_keys(self):
|
||
|
|
return super()._get_template_cache_keys() + ["raise_on_forbidden_code_for_model"]
|
||
|
|
|
||
|
|
def _compile_directive(self, el, compile_context, directive, level):
|
||
|
|
if (
|
||
|
|
"raise_on_forbidden_code_for_model" in compile_context
|
||
|
|
and directive not in self.allowed_directives
|
||
|
|
):
|
||
|
|
raise PermissionError("This directive is not allowed for this rendering mode.")
|
||
|
|
return super()._compile_directive(el, compile_context, directive, level)
|
||
|
|
|
||
|
|
def _compile_directive_att(self, el, compile_context, level):
|
||
|
|
if "raise_on_forbidden_code_for_model" in compile_context:
|
||
|
|
if set(el.attrib) - {"t-out", "t-tag-open", "t-tag-close", "t-inner-content"}:
|
||
|
|
raise PermissionError("This directive is not allowed for this rendering mode.")
|
||
|
|
return super()._compile_directive_att(el, compile_context, level)
|
||
|
|
|
||
|
|
def _compile_expr(self, expr, raise_on_missing=False):
|
||
|
|
model = self.env.context.get("raise_on_forbidden_code_for_model")
|
||
|
|
if model is not None and not self._is_expression_allowed(expr, model):
|
||
|
|
raise PermissionError("This directive is not allowed for this rendering mode.")
|
||
|
|
return super()._compile_expr(expr, raise_on_missing)
|
||
|
|
|
||
|
|
def _compile_directive_out(self, el, compile_context, level):
|
||
|
|
if "raise_on_forbidden_code_for_model" in compile_context:
|
||
|
|
if len(el) != 0:
|
||
|
|
raise PermissionError("No child allowed for t-out.")
|
||
|
|
if set(el.attrib) - {'t-out', 't-tag-open', 't-tag-close'}:
|
||
|
|
raise PermissionError("No other attribute allowed for t-out.")
|
||
|
|
return super()._compile_directive_out(el, compile_context, level)
|
||
|
|
|
||
|
|
def _is_expression_allowed(self, expression, model):
|
||
|
|
return model and expression.strip() in self.env[model].mail_allowed_qweb_expressions()
|