From 401b6c536d89e72d64437c4f5be8d10f88fbb07b Mon Sep 17 00:00:00 2001
From: "Harry (Open ERP)" <hmo@tinyerp.com>
Date: Fri, 29 Jan 2010 11:36:44 +0530
Subject: [PATCH] [IMP] security : move login, access, check method into
 res.users object

bzr revid: hmo@tinyerp.com-20100129060644-q846msahr5mtqvsr
---
 bin/addons/base/res/res_user.py | 53 +++++++++++++++++++++++++++++++++
 bin/service/security.py         | 48 ++++++-----------------------
 2 files changed, 62 insertions(+), 39 deletions(-)

diff --git a/bin/addons/base/res/res_user.py b/bin/addons/base/res/res_user.py
index 7b9b4d113bc..c85f2544e3c 100644
--- a/bin/addons/base/res/res_user.py
+++ b/bin/addons/base/res/res_user.py
@@ -23,7 +23,9 @@ from osv import fields,osv
 from osv.orm import except_orm
 import tools
 import pytz
+import pooler
 from tools.translate import _
+from service import security
 
 class groups(osv.osv):
     _name = "res.groups"
@@ -119,6 +121,7 @@ def _companies_get(self,cr, uid, context={}):
 
 class users(osv.osv):
     __admin_ids = {}
+    _uid_cache = {}
     _name = "res.users"
 
     def get_current_company(self, cr, uid):
@@ -260,6 +263,56 @@ class users(osv.osv):
         data_id = dataobj._get_id(cr, 1, 'base', 'action_res_users_my')
         return dataobj.browse(cr, uid, data_id, context).res_id
 
+
+    def login(self, db, login, password):
+        if not password:
+            return False
+        cr = pooler.get_db(db).cursor()    
+        cr.execute('select id from res_users where login=%s and password=%s and active', (tools.ustr(login), tools.ustr(password)))
+        res = cr.fetchone()
+        cr.close()
+        if res:
+            return res[0]
+        else:
+            return False
+
+    def check_super(self, passwd):
+        if passwd == tools.config['admin_passwd']:
+            return True
+        else:
+            raise security.ExceptionNoTb('AccessDenied')
+
+    def check(self, db, uid, passwd):
+        if not passwd:
+            return False
+        cached_pass = self._uid_cache.get(db, {}).get(uid)
+        if (cached_pass is not None) and cached_pass == passwd:
+            return True
+        cr = pooler.get_db(db).cursor()    
+        cr.execute('select count(1) from res_users where id=%s and password=%s and active=%s', (int(uid), passwd, True))    
+        res = cr.fetchone()[0]
+        cr.close()
+        if not bool(res):
+            raise security.ExceptionNoTb('AccessDenied')
+        if res:
+            if self._uid_cache.has_key(db):
+                ulist = self._uid_cache[db]
+                ulist[uid] = passwd
+            else:
+                self._uid_cache[db] = {uid:passwd}
+        return bool(res)
+
+    def access(self, db, uid, passwd, sec_level, ids):
+        if not passwd:
+            return False
+        cr = pooler.get_db(db).cursor()    
+        cr.execute('select id from res_users where id=%s and password=%s', (uid, passwd))
+        res = cr.fetchone()
+        cr.close()
+        if not res:
+            raise security.ExceptionNoTb('Bad username or password')
+        return res[0]
+
     _constraints = [
         (_check_company, 'This user can not connect using this company !', ['company_id']),
     ]
diff --git a/bin/service/security.py b/bin/service/security.py
index ea87208c2dd..3ecbea73094 100644
--- a/bin/service/security.py
+++ b/bin/service/security.py
@@ -22,8 +22,6 @@
 import pooler
 import tools
 
-_uid_cache = {}
-
 # When rejecting a password, we need to give as little info as possible
 class ExceptionNoTb(Exception):
     def __init__(self, msg ):
@@ -32,16 +30,9 @@ class ExceptionNoTb(Exception):
         self.args = (msg, '')
 
 def login(db, login, password):
-    if not password:
-        return False
-    cr = pooler.get_db(db).cursor()    
-    cr.execute('select id from res_users where login=%s and password=%s and active', (tools.ustr(login), tools.ustr(password)))
-    res = cr.fetchone()
-    cr.close()
-    if res:
-        return res[0]
-    else:
-        return False
+    pool = pooler.get_pool(db)
+    user_obj = pool.get('res.users')
+    return user_obj.login(db, login, password)
 
 def check_super(passwd):
     if passwd == tools.config['admin_passwd']:
@@ -50,35 +41,14 @@ def check_super(passwd):
         raise ExceptionNoTb('AccessDenied')
 
 def check(db, uid, passwd):
-    if not passwd:
-        return False
-    cached_pass = _uid_cache.get(db, {}).get(uid)
-    if (cached_pass is not None) and cached_pass == passwd:
-        return True
-    cr = pooler.get_db(db).cursor()    
-    cr.execute('select count(1) from res_users where id=%s and password=%s and active=%s', (int(uid), passwd, True))    
-    res = cr.fetchone()[0]
-    cr.close()
-    if not bool(res):
-        raise ExceptionNoTb('AccessDenied')
-    if res:
-        if _uid_cache.has_key(db):
-            ulist = _uid_cache[db]
-            ulist[uid] = passwd
-        else:
-            _uid_cache[db] = {uid:passwd}
-    return bool(res)
+    pool = pooler.get_pool(db)
+    user_obj = pool.get('res.users')
+    return user_obj.check(db, uid, passwd)
 
 def access(db, uid, passwd, sec_level, ids):
-    if not passwd:
-        return False
-    cr = pooler.get_db(db).cursor()    
-    cr.execute('select id from res_users where id=%s and password=%s', (uid, passwd))
-    res = cr.fetchone()
-    cr.close()
-    if not res:
-        raise ExceptionNoTb('Bad username or password')
-    return res[0]
+    pool = pooler.get_pool(db)
+    user_obj = pool.get('res.users')
+    return user_obj.access(db, uid, passwd, sec_level, ids)
 
 
 # vim:expandtab:smartindent:tabstop=4:softtabstop=4:shiftwidth=4: