Commit 90528638 authored by Jérome Perrin's avatar Jérome Perrin

CRM: prevent back office agent from changing event state when viewing its image.

There can be two cases:
- the image is on the same domain that the agent is using, then the agent is logged in
- the image is on another domain, then the agent is not logged in but we can somehow guess from referer that he is viewing the image from ERP5
parent 9acddff7
......@@ -50,21 +50,32 @@
</item>
<item>
<key> <string>_body</string> </key>
<value> <string>portal = context.getPortalObject()\n
<value> <string>"""This script is indented to be used in email emage to mark the event as received\n
when the recipient opens the email in his email client.\n
\n
We do not want to mark an email as read when backoffice agent displays the event\n
in ERP5 though.\n
"""\n
portal = context.getPortalObject()\n
request = context.REQUEST\n
event_id = request[\'id\']\n
\n
user = portal.ERP5Site_getAuthenticatedMemberPersonValue()\n
# If we have a logged in user it\'s probably a backoffice agent.\n
if user is None:\n
if portal.Base_getHMACHexdigest(portal.Base_getEventHMACKey(), request[\'id\']) != request["hash"]:\n
# If the referer contains the url of the event we are probably viewing the event\n
# from ERP5 interface. We do not want to mark the event as received in that case\n
if not (\'/event_module/%s\' % event_id) in request.HTTP_REFERER:\n
if portal.Base_getHMACHexdigest(portal.Base_getEventHMACKey(), event_id) != request["hash"]:\n
from zExceptions import Unauthorized\n
raise Unauthorized\n
raise Unauthorized()\n
\n
portal.portal_activities.activate(\n
activity="SQLQueue").Base_markEventAsReceived(event_id=request[\'id\'], \n
hmac=request["hash"])\n
\n
redirect_url = "%s/Base_download" %(context.getRelativeUrl(),)\n
context.REQUEST[ \'RESPONSE\' ].redirect(redirect_url)\n
# serve the image\n
return context.index_html(request, request.RESPONSE, format=None)\n
</string> </value>
</item>
<item>
......
......@@ -50,21 +50,32 @@
</item>
<item>
<key> <string>_body</string> </key>
<value> <string>portal = context.getPortalObject()\n
<value> <string>"""This script is indented to be used in email emage to mark the event as delivered\n
when the recipient opens the email in his email client.\n
\n
We do not want to mark an email as read when backoffice agent displays the event\n
in ERP5 though.\n
"""\n
portal = context.getPortalObject()\n
request = context.REQUEST\n
event_id = request[\'id\']\n
\n
user = portal.ERP5Site_getAuthenticatedMemberPersonValue()\n
# If we have a logged in user it\'s probably a backoffice agent.\n
if user is None:\n
if portal.Base_getHMACHexdigest(portal.Base_getEventHMACKey(), request[\'id\']) != request["hash"]:\n
# If the referer contains the url of the event we are probably viewing the event\n
# from ERP5 interface. We do not want to mark the event as delivered in that case\n
if not (\'/event_module/%s\' % event_id) in request.HTTP_REFERER:\n
if portal.Base_getHMACHexdigest(portal.Base_getEventHMACKey(), event_id) != request["hash"]:\n
from zExceptions import Unauthorized\n
raise Unauthorized\n
raise Unauthorized()\n
\n
portal.portal_activities.activate(\n
activity="SQLQueue").Base_markEventAsDelivered(event_id=request[\'id\'], \n
hmac=request["hash"])\n
\n
redirect_url = "%s/Base_download" %(context.getRelativeUrl(),)\n
context.REQUEST[ \'RESPONSE\' ].redirect(redirect_url)\n
# serve the image\n
return context.index_html(request, request.RESPONSE, format=None)\n
</string> </value>
</item>
<item>
......
696
\ No newline at end of file
697
\ No newline at end of file
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment