Name:
[FIX] AI cluster Wave-1: pre-existing security remediation (4 CRITICAL + 13 HIGH)
State:
Failed
finished in 15m
PR State:
merged
PR Author:
David Tran
PR Author Email:
PR:
#52
Committer:
David Tran
Committer Email:
davidtran.hp@gmail.com
Commit:
ac15958326d6093957d0007ca492832cb20bd7d7
Description:
[FIX] viin_ai_approval,viin_ai_base: end-of-wave review fixes (H7 effective scoping, error-log savepoint)
Independent end-of-wave review caught two HIGH issues in the wave-1 fixes:
- H7 RESIDUAL: the WI-3 advisory-cron company scope used ('company_id','in',
self.env.companies.ids), but in the cron context env.companies = ALL companies
(cron user has no allowed_company_ids) -> the scope was a no-op = cross-tenant
processing leak, and its test was tautological (it pre-set allowed_company_ids).
Fixed: pin the advisory cron user_id, and restructure _cron_run_ai_advisory to
iterate companies explicitly with a literal ('company_id','=',company.id) filter
under with_company(company) - isolation no longer depends on env.companies. The
test now runs from the real all-company env and goes RED on the old code
(scan saw companies [1,2,3,4]) -> GREEN.
- error-log savepoint: _record_error_usage now wraps the separate-cursor create in
env.cr.savepoint(), matching the canonical api_request_mixin.log_request pattern.
132/132 viin_ai_base + 95/95 viin_ai_ops/approval tests pass on real odoo-bin.
Branch:
17.0
Instance ID:
0
Age:
Up-time: