Hello
', 'Hello {{ object.name }}
', """{{ 'English Speaker' if object.lang == 'en_US' else 'Other Speaker' }}
""", """{{ 13 + 13 }}
Bonjour
', 'Bonjour {{ object.name }}
', """{{ 'Narrateur Anglais' if object.lang == 'en_US' else 'Autre Narrateur' }}
""" ] # some qweb templates, their views and their xml ids cls.base_qweb_bits = [ 'Hello
', 'Hello
English Speaker Other Speaker
""" ] cls.base_qweb_bits_fr = [ 'Bonjour
', 'Bonjour
Narrateur Anglais Autre Narrateur
""" ] cls.base_qweb_templates = cls.env['ir.ui.view'].create([ {'name': 'TestRender%d' % index, 'type': 'qweb', 'arch': qweb_content, } for index, qweb_content in enumerate(cls.base_qweb_bits) ]) cls.base_qweb_templates_data = cls.env['ir.model.data'].create([ {'name': template.name, 'module': 'mail', 'model': template._name, 'res_id': template.id, } for template in cls.base_qweb_templates ]) cls.base_qweb_templates_xmlids = [ model_data.complete_name for model_data in cls.base_qweb_templates_data ] # render result cls.base_rendered = [ 'Hello
', 'Hello %s
' % cls.render_object.name, """English Speaker
""", """26
Bonjour
', 'Bonjour %s
' % cls.render_object_fr.name, """Autre Narrateur
""" ] cls.base_rendered_void = [ 'Hello
', 'Hello
', """English Speaker
""" ] # link to mail template cls.test_template = cls.env['mail.template'].create({ 'name': 'Test Template', 'subject': cls.base_inline_template_bits[0], 'body_html': cls.base_qweb_bits[1], 'model_id': cls.env['ir.model']._get('res.partner').id, 'lang': '{{ object.lang }}' }) # some translations cls.test_template.with_context(lang='fr_FR').subject = cls.base_qweb_bits_fr[0] cls.test_template.with_context(lang='fr_FR').body_html = cls.base_qweb_bits_fr[1] cls.env['ir.model.data'].create({ 'name': 'test_template_xmlid', 'module': 'mail', 'model': cls.test_template._name, 'res_id': cls.test_template.id, }) # Enable group-based template management cls.env['ir.config_parameter'].set_param('mail.restrict.template.rendering', True) # User without the group "mail.group_mail_template_editor" cls.user_rendering_restricted = common.mail_new_test_user( cls.env, login='user_rendering_restricted', groups='base.group_user', company_id=cls.company_admin.id, name='Code Template Restricted User', notification_type='inbox', signature='--\nErnest' ) cls.user_rendering_restricted.groups_id -= cls.env.ref('mail.group_mail_template_editor') cls.user_employee.groups_id += cls.env.ref('mail.group_mail_template_editor') @tagged('mail_render') class TestMailRender(TestMailRenderCommon): @users('employee') def test_evaluation_context(self): """ Test evaluation context and various ways of tweaking it. """ partner = self.env['res.partner'].browse(self.render_object.ids) MailRenderMixin = self.env['mail.render.mixin'] custom_ctx = {'custom_ctx': 'Custom Context Value'} add_context = { 'custom_value': 'Custom Render Value' } srces = [ 'I am {{ user.name }}', 'Datetime is {{ format_datetime(datetime.datetime(2021, 6, 1), dt_format="MM - d - YYY") }}', 'Context {{ ctx.get("custom_ctx") }}, value {{ custom_value }}', ] results = [ 'I am %s' % self.env.user.name, 'Datetime is 06 - 1 - 2021', 'Context Custom Context Value, value Custom Render Value' ] for src, expected in zip(srces, results): for engine in ['inline_template']: result = MailRenderMixin.with_context(**custom_ctx)._render_template( src, partner._name, partner.ids, engine=engine, add_context=add_context )[partner.id] self.assertEqual(expected, result) @users('employee') def test_prepend_preview_inline_template_to_qweb(self): body = 'body' preview = 'foo{{"false" if 1 > 2 else "true"}}bar' result = self.env['mail.render.mixin']._prepend_preview(Markup(body), preview) self.assertEqual(result, '''body''') @users('employee') def test_render_field(self): template = self.env['mail.template'].browse(self.test_template.ids) partner = self.env['res.partner'].browse(self.render_object.ids) for fname, expected in zip(['subject', 'body_html'], self.base_rendered): rendered = template._render_field( fname, partner.ids, compute_lang=True )[partner.id] self.assertEqual(rendered, expected) @users('employee') def test_render_field_lang(self): """ Test translation in french """ template = self.env['mail.template'].browse(self.test_template.ids) partner = self.env['res.partner'].browse(self.render_object_fr.ids) for fname, expected in zip(['subject', 'body_html'], self.base_rendered_fr): rendered = template._render_field( fname, partner.ids, compute_lang=True )[partner.id] self.assertEqual(rendered, expected) @users('employee') def test_render_field_no_records(self): """ Test rendering on void IDs, or a list with dummy / falsy ID """ template = self.test_template.with_env(self.env) partner = self.render_object.with_env(self.env) for res_ids in ([], (), [False], [''], [None], [False, partner.id]): # various corner cases for fname, expected_obj, expected_void in zip(['subject', 'body_html'], self.base_rendered, self.base_rendered_void): with self.subTest(): rendered_all = template._render_field( fname, res_ids, compute_lang=True ) if res_ids: self.assertTrue(res_ids[0] in rendered_all, f'Rendering: key {repr(res_ids[0])} is considered as valid and should have an entry') self.assertEqual(rendered_all[res_ids[0]], expected_void) if len(res_ids) == 2: # second is partner self.assertTrue(res_ids[1] in rendered_all) self.assertEqual(rendered_all[res_ids[1]], expected_obj) if not res_ids: self.assertFalse(rendered_all, 'Rendering: void input -> void output') @users('employee') def test_render_field_not_existing(self): """ Test trying to render a not-existing field: raise a proper ValueError instead of crashing / raising a KeyError """ template = self.env['mail.template'].browse(self.test_template.ids) partner = self.env['res.partner'].browse(self.render_object_fr.ids) with self.assertRaises(ValueError): _rendered = template._render_field( 'not_existing', partner.ids, compute_lang=True )[partner.id] @users('employee') def test_render_template_inline_template(self): partner = self.env['res.partner'].browse(self.render_object.ids) for source, expected in zip(self.base_inline_template_bits, self.base_rendered): rendered = self.env['mail.render.mixin']._render_template( source, partner._name, partner.ids, engine='inline_template', )[partner.id] self.assertEqual(rendered, expected) @users('employee') def test_render_template_inline_template_w_post_process_custom_local_links(self): def _mock_get_base_url(recordset): return f"http://www.render-object-{recordset._name}-{recordset.id}-{recordset.display_name}.com" partner_ids = self.env['res.partner'].sudo().create([{ 'name': f'test partner {n}' } for n in range(20)]).ids with patch('odoo.models.Model.get_base_url', new=_mock_get_base_url), self.assertQueryCount(12): # make sure name isn't already in cache self.env['res.partner'].browse(partner_ids).invalidate_recordset(['name', 'display_name']) render_results = self.env['mail.render.mixin']._render_template( 'This is a string
' expected = 'This is a string
' for engine in ['inline_template', 'qweb']: result = MailRenderMixin._render_template( src, partner._name, partner.ids, engine=engine, )[partner.id] self.assertEqual(expected, result) # tde: checkme # code xml srces = [ 'This is a string with a number {{ 13+13 }}
', 'This is a string with a number
This is a string with a number 26
' for engine, src in zip(['inline_template', 'qweb'], srces): result = MailRenderMixin._render_template( src, partner._name, partner.ids, engine=engine, )[partner.id] self.assertEqual(expected, str(result)) src = """
We have 3 cookies in stock We have 4 cookies in stock
""" for engine in ['qweb']: result = MailRenderMixin._render_template( src, partner._name, partner.ids, engine=engine, )[partner.id] self.assertEqual(result, expected) @users('employee') def test_replace_local_links(self): local_links_template_bits = [ '', 'Alice
'), ('''''', 'Alice
'), ('''''', 'Alice
'), ('''Alice
'), ('''''', ''), ('''Default
''', 'Alice
'), ('''Default
''', 'Alice
'), ('''Default
''', 'Default
'), ('''Default
''', 'Alice
Alice
'), ('''Default
''', 'Alice
Default
'), ('''''', 'Alice
'), ('''Default
''', 'Default
'), ('''Alice
()
'), ('''''', '2
'), ('''''', ''), ('''''', 'Alice
'), ('''''', 'Alice
'), ('''Alice
'), ('''<h1>test</h1>
'), ) for template, expected in non_static_templates: with (patch('odoo.addons.base.models.ir_qweb.IrQWeb._render', side_effect=o_qweb_render) as qweb_render, patch('odoo.addons.base.models.ir_qweb.unsafe_eval', side_effect=eval) as unsafe_eval): rendered = render(template) self.assertTrue(isinstance(rendered, Markup)) self.assertEqual(rendered, expected) self.assertTrue(qweb_render.called) self.assertTrue(unsafe_eval.called) def test_inline_regex_rendering(self): record = self.env['res.partner'].create({'name': 'Alice'}) def render(template): return self.env['mail.render.mixin']._render_template_inline_template(template, 'res.partner', record.ids)[record.id] static_templates = ( ('''{{object.name}}''', 'Alice'), ('''{{object.contact_name}}''', ''), ('''{{object.name ||| Default}}''', 'Alice'), ('''{{object.contact_name ||| Default}}''', 'Default'), ) for template, expected in static_templates: with patch('odoo.tools.safe_eval.unsafe_eval', side_effect=eval) as unsafe_eval: self.assertEqual(render(template), expected) self.assertFalse(unsafe_eval.called) self.assertFalse(self.env['mail.render.mixin']._has_unsafe_expression_template_inline_template(template, 'res.partner')) non_static_templates = ( ('''{{''}}''', ''), ('''{{1+1}}''', '2'), ('''{{object.env.context.get('test')}}''', ''), ) for template, expected in non_static_templates: with patch('odoo.tools.safe_eval.unsafe_eval', side_effect=eval) as unsafe_eval: self.assertEqual(render(template), expected) self.assertTrue(unsafe_eval.called) self.assertTrue(self.env['mail.render.mixin']._has_unsafe_expression_template_inline_template(template, 'res.partner')) @tagged('mail_render') class TestMailRenderSecurity(TestMailRenderCommon): """ Test security of rendering, based on qweb finding + restricted rendering group usage. """ @users('employee') def test_render_inline_template_impersonate(self): """ Test that the use of SUDO do not change the current user. """ partner = self.env['res.partner'].browse(self.render_object.ids) src = '{{ user.name }} - {{ object.name }}' expected = '%s - %s' % (self.env.user.name, partner.name) result = self.env['mail.render.mixin'].sudo()._render_template_inline_template( src, partner._name, partner.ids )[partner.id] self.assertIn(expected, result) @users('user_rendering_restricted') def test_render_inline_template_restricted(self): """Test if we correctly detect static template.""" res_ids = self.env['res.partner'].search([], limit=1).ids with self.assertRaises(AccessError, msg='Simple user should not be able to render dynamic code'): self.env['mail.render.mixin']._render_template_inline_template( self.base_inline_template_bits[3], 'res.partner', res_ids ) src = """{{ cust_function() }}
""" expected = """return value
""" context = {'cust_function': cust_function} result = self.env['mail.render.mixin'].with_user(self.user_admin)._render_template_inline_template( src, partner._name, partner.ids, add_context=context )[partner.id] self.assertEqual(expected, result) self.assertTrue(cust_function.call) with self.assertRaises(AccessError, msg='Simple user should not be able to render dynamic code'): MailRenderMixin._render_template_inline_template(src, model, res_ids, add_context=context) @users('user_rendering_restricted') def test_security_inline_template_restricted(self): """Test if we correctly detect condition block (which might contains code).""" res_ids = self.env['res.partner'].search([], limit=1).ids with self.assertRaises(AccessError, msg='Simple user should not be able to render dynamic code'): self.env['mail.render.mixin']._render_template_inline_template(self.base_inline_template_bits[4], 'res.partner', res_ids) @users('employee') def test_security_inline_template_unrestricted(self): """Test if we correctly detect condition block (which might contains code).""" res_ids = self.env['res.partner'].search([], limit=1).ids result = self.env['mail.render.mixin']._render_template_inline_template(self.base_inline_template_bits[4], 'res.partner', res_ids)[res_ids[0]] self.assertNotIn('Code not executed', result, 'The condition block did not work') @users('user_rendering_restricted') def test_security_qweb_template_restricted(self): """Test if we correctly detect condition block (which might contains code).""" res_ids = self.env['res.partner'].search([], limit=1).ids with self.assertRaises(AccessError, msg='Simple user should not be able to render complex qweb code'): self.env['mail.render.mixin']._render_template_qweb(self.base_qweb_bits[2], 'res.partner', res_ids) @users('user_rendering_restricted') def test_security_qweb_template_restricted_cached(self): """Test if we correctly detect condition block (which might contains code).""" res_ids = self.env['res.partner'].search([], limit=1).ids # Render with the admin first to fill the cache result = self.env['mail.render.mixin'].with_user(self.user_admin)._render_template_qweb( self.base_qweb_bits[2], 'res.partner', res_ids) self.assertEqual(result[res_ids[0]], "\n English Speaker\n
") # Check that it raise even when rendered previously by an admin with self.assertRaises(AccessError, msg='Simple user should not be able to render complex qweb code'): self.env['mail.render.mixin']._render_template_qweb( self.base_qweb_bits[2], 'res.partner', res_ids) @users('employee') def test_security_qweb_template_unrestricted(self): """Test if we correctly detect condition block (which might contains code).""" res_ids = self.env['res.partner'].search([], limit=1).ids result = self.env['mail.render.mixin']._render_template_qweb(self.base_qweb_bits[1], 'res.partner', res_ids)[res_ids[0]] self.assertNotIn('Code not executed', result, 'The condition block did not work')