odoo13 绕过
_search 和 name_search 方法中的 access_rights_uid name_get_uid 参数可以使用 绕过 ir.model.access 的检查, 单不能绕过 ir.rule 的检查权限
ir.rule 的权限过滤是通过 ir.rule 的 domain_get 方法实现的, 如下图,可用通过加入context关键字 forbid_rule_check 方法,特殊字段绕过 ir.rule 的检查和过滤
@api.model
def domain_get(self, model_name, mode='read'):
dom = self._compute_domain(model_name, mode)
if dom and (not self.env.context.get('forbid_rule_check')):
# _where_calc is called as superuser. This means that rules can
# involve objects on which the real uid has no acces rights.
# This means also there is no implicit restriction (e.g. an object
# references another object the user can't see).
query = self.env[model_name].sudo()._where_calc(dom, active_test=False)
return query.where_clause, query.where_clause_params, query.tables
return [], [], ['"%s"' % self.env[model_name]._table]
要包括以下几个方法及主要用途:
search(): 搜索视图中调用
search_count(): 视图中计算记录数时调用
name_search(): many2one字段搜索时调用
search_read(): many2one点开搜索更多时调用
read_group(): 搜索视图分组时调用
网友评论