[IMP] fields: log diff of html field when you cannot edit it

Since commit cf844e3, we have a new group `group_sanitize_override` that allow to prevent users from adding code that will be evaluated. To know if a user can edit a field if they are restricted editor and without this group, we do the diff between the normalized version and the sanitized. It is difficult to debug in production why a user cannot edit a html field because we don't have the log of this diff. Now we add the unified diff into the log. It should not occur too often and if necessary we will reduce the occurrences in the log later. (if debug mode, if loaded into the iframe [in edit mode with @], ...) closes odoo#133395 X-original-commit: d60759d Signed-off-by: Romain Derie (rde) <rde@odoo.com> Signed-off-by: Jérémy Kersten <jke@odoo.com>
jeando · Aug 29, 2023 · 9a44259 · 9a44259
1 parent 7746c67
commit 9a44259
Showing 1 changed file with 18 additions and 1 deletion.
diff --git a/odoo/fields.py b/odoo/fields.py
@@ -25,10 +25,11 @@
 from markupsafe import Markup
 from psycopg2.extras import Json as PsycopgJson, execute_values
 from psycopg2.sql import SQL, Identifier
-from difflib import get_close_matches
+from difflib import get_close_matches, unified_diff
 from hashlib import sha256
 
 from .models import check_property_field_value_name
+from .netsvc import ColoredFormatter, GREEN, RED, DEFAULT, COLOR_PATTERN
 from .tools import (
     float_repr, float_round, float_compare, float_is_zero, human_size,
     pg_varchar, ustr, OrderedSet, pycompat, sql, date_utils, unique,
@@ -2024,6 +2025,22 @@ def _convert(self, value, record, validate):
                     # sanitized. It means that someone who was part of a group
                     # allowing to bypass the sanitation saved that field
                     # previously.
+
+                    diff = unified_diff(
+                        original_value_sanitized.splitlines(),
+                        original_value_normalized.splitlines(),
+                    )
+
+                    with_colors = isinstance(logging.getLogger().handlers[0].formatter, ColoredFormatter)
+                    diff_str = f'The field ({record._description}, {self.string}) will not be editable:\n'
+                    for line in list(diff)[2:]:
+                        if with_colors:
+                            color = {'-': RED, '+': GREEN}.get(line[:1], DEFAULT)
+                            diff_str += COLOR_PATTERN % (30 + color, 40 + DEFAULT, line.rstrip() + "\n")
+                        else:
+                            diff_str += line.rstrip() + '\n'
+                    _logger.info(diff_str)
+
                     raise UserError(_(
                         "The field value you're saving (%s %s) includes content that is "
                         "restricted for security reasons. It is possible that someone "