Web addons for OpenERP

Code review comment for lp:~serpentcs/web-addons/multi_image_7.0

  1. multi_image_7.0
  2. Merge into 7.0
Revision history for this message
Nhomar - Vauxoo (nhomar) wrote :

A little hole is:

158 + def upload_image_multi(self, req, callback, ufile):

As you can see it is not asking for the session object to validate ACL. I dob have time now to prepare an use case, but it is dangerous.

See how i think we have an important security hole with the approach as you solve it to upload files.

https://dl.dropboxusercontent.com/u/2428846/Captura%20de%20pantalla%202013-09-28%20a%20la%28s%29%2001.14.21.png

Reply

« Back to merge proposal