safe_eval is too restrictive and blocks all server actions with python code related to an osv.Model with deprecated columns
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Odoo Server (MOVED TO GITHUB) |
Confirmed
|
Medium
|
OpenERP's Framework R&D | ||
Bug Description
In OpenERP v7 (trunk and 7.0) the res.partner core osv has deprecated the res_partner.country column.
This deprecation is interpreted in the orm.py which in turn uses _logger.warning:
if field_column and field_column.
_logger.warning tries to "import warnings" which fires an "from _warnings import ..." and gets blocked by safe_eval because at the moment:
_ALLOWED_MODULES = ['_strptime', 'time']
A quick and dirty way to solve the issue is to change the allowed modules list by adding '_warnings' to it
_ALLOWED_MODULES = ['_strptime', 'time', '_warnings']
Without this it is impossible to use server actions with python code on any osv object with a deprecated column (even if you don't manipulate this column in your server action). To go further as a side effect it is impossible to use python code for server actions on crm.lead because it fires orm requests on res.partner which in turn try to log a warning.
If the security implications are too high we should think to remove the deprecation warning mechanism from orm.py
| Changed in openobject-server: | |
| assignee: | nobody → OpenERP's Framework R&D (openerp-dev-framework) |
| importance: | Undecided → Medium |
| status: | New → Confirmed |
