[IMP] security : move login, access, check method into res.users object
bzr revid: hmo@tinyerp.com-20100129060644-q846msahr5mtqvsr
This commit is contained in:
parent
0ded9e51d5
commit
401b6c536d
|
@ -23,7 +23,9 @@ from osv import fields,osv
|
||||||
from osv.orm import except_orm
|
from osv.orm import except_orm
|
||||||
import tools
|
import tools
|
||||||
import pytz
|
import pytz
|
||||||
|
import pooler
|
||||||
from tools.translate import _
|
from tools.translate import _
|
||||||
|
from service import security
|
||||||
|
|
||||||
class groups(osv.osv):
|
class groups(osv.osv):
|
||||||
_name = "res.groups"
|
_name = "res.groups"
|
||||||
|
@ -119,6 +121,7 @@ def _companies_get(self,cr, uid, context={}):
|
||||||
|
|
||||||
class users(osv.osv):
|
class users(osv.osv):
|
||||||
__admin_ids = {}
|
__admin_ids = {}
|
||||||
|
_uid_cache = {}
|
||||||
_name = "res.users"
|
_name = "res.users"
|
||||||
|
|
||||||
def get_current_company(self, cr, uid):
|
def get_current_company(self, cr, uid):
|
||||||
|
@ -260,6 +263,56 @@ class users(osv.osv):
|
||||||
data_id = dataobj._get_id(cr, 1, 'base', 'action_res_users_my')
|
data_id = dataobj._get_id(cr, 1, 'base', 'action_res_users_my')
|
||||||
return dataobj.browse(cr, uid, data_id, context).res_id
|
return dataobj.browse(cr, uid, data_id, context).res_id
|
||||||
|
|
||||||
|
|
||||||
|
def login(self, db, login, password):
|
||||||
|
if not password:
|
||||||
|
return False
|
||||||
|
cr = pooler.get_db(db).cursor()
|
||||||
|
cr.execute('select id from res_users where login=%s and password=%s and active', (tools.ustr(login), tools.ustr(password)))
|
||||||
|
res = cr.fetchone()
|
||||||
|
cr.close()
|
||||||
|
if res:
|
||||||
|
return res[0]
|
||||||
|
else:
|
||||||
|
return False
|
||||||
|
|
||||||
|
def check_super(self, passwd):
|
||||||
|
if passwd == tools.config['admin_passwd']:
|
||||||
|
return True
|
||||||
|
else:
|
||||||
|
raise security.ExceptionNoTb('AccessDenied')
|
||||||
|
|
||||||
|
def check(self, db, uid, passwd):
|
||||||
|
if not passwd:
|
||||||
|
return False
|
||||||
|
cached_pass = self._uid_cache.get(db, {}).get(uid)
|
||||||
|
if (cached_pass is not None) and cached_pass == passwd:
|
||||||
|
return True
|
||||||
|
cr = pooler.get_db(db).cursor()
|
||||||
|
cr.execute('select count(1) from res_users where id=%s and password=%s and active=%s', (int(uid), passwd, True))
|
||||||
|
res = cr.fetchone()[0]
|
||||||
|
cr.close()
|
||||||
|
if not bool(res):
|
||||||
|
raise security.ExceptionNoTb('AccessDenied')
|
||||||
|
if res:
|
||||||
|
if self._uid_cache.has_key(db):
|
||||||
|
ulist = self._uid_cache[db]
|
||||||
|
ulist[uid] = passwd
|
||||||
|
else:
|
||||||
|
self._uid_cache[db] = {uid:passwd}
|
||||||
|
return bool(res)
|
||||||
|
|
||||||
|
def access(self, db, uid, passwd, sec_level, ids):
|
||||||
|
if not passwd:
|
||||||
|
return False
|
||||||
|
cr = pooler.get_db(db).cursor()
|
||||||
|
cr.execute('select id from res_users where id=%s and password=%s', (uid, passwd))
|
||||||
|
res = cr.fetchone()
|
||||||
|
cr.close()
|
||||||
|
if not res:
|
||||||
|
raise security.ExceptionNoTb('Bad username or password')
|
||||||
|
return res[0]
|
||||||
|
|
||||||
_constraints = [
|
_constraints = [
|
||||||
(_check_company, 'This user can not connect using this company !', ['company_id']),
|
(_check_company, 'This user can not connect using this company !', ['company_id']),
|
||||||
]
|
]
|
||||||
|
|
|
@ -22,8 +22,6 @@
|
||||||
import pooler
|
import pooler
|
||||||
import tools
|
import tools
|
||||||
|
|
||||||
_uid_cache = {}
|
|
||||||
|
|
||||||
# When rejecting a password, we need to give as little info as possible
|
# When rejecting a password, we need to give as little info as possible
|
||||||
class ExceptionNoTb(Exception):
|
class ExceptionNoTb(Exception):
|
||||||
def __init__(self, msg ):
|
def __init__(self, msg ):
|
||||||
|
@ -32,16 +30,9 @@ class ExceptionNoTb(Exception):
|
||||||
self.args = (msg, '')
|
self.args = (msg, '')
|
||||||
|
|
||||||
def login(db, login, password):
|
def login(db, login, password):
|
||||||
if not password:
|
pool = pooler.get_pool(db)
|
||||||
return False
|
user_obj = pool.get('res.users')
|
||||||
cr = pooler.get_db(db).cursor()
|
return user_obj.login(db, login, password)
|
||||||
cr.execute('select id from res_users where login=%s and password=%s and active', (tools.ustr(login), tools.ustr(password)))
|
|
||||||
res = cr.fetchone()
|
|
||||||
cr.close()
|
|
||||||
if res:
|
|
||||||
return res[0]
|
|
||||||
else:
|
|
||||||
return False
|
|
||||||
|
|
||||||
def check_super(passwd):
|
def check_super(passwd):
|
||||||
if passwd == tools.config['admin_passwd']:
|
if passwd == tools.config['admin_passwd']:
|
||||||
|
@ -50,35 +41,14 @@ def check_super(passwd):
|
||||||
raise ExceptionNoTb('AccessDenied')
|
raise ExceptionNoTb('AccessDenied')
|
||||||
|
|
||||||
def check(db, uid, passwd):
|
def check(db, uid, passwd):
|
||||||
if not passwd:
|
pool = pooler.get_pool(db)
|
||||||
return False
|
user_obj = pool.get('res.users')
|
||||||
cached_pass = _uid_cache.get(db, {}).get(uid)
|
return user_obj.check(db, uid, passwd)
|
||||||
if (cached_pass is not None) and cached_pass == passwd:
|
|
||||||
return True
|
|
||||||
cr = pooler.get_db(db).cursor()
|
|
||||||
cr.execute('select count(1) from res_users where id=%s and password=%s and active=%s', (int(uid), passwd, True))
|
|
||||||
res = cr.fetchone()[0]
|
|
||||||
cr.close()
|
|
||||||
if not bool(res):
|
|
||||||
raise ExceptionNoTb('AccessDenied')
|
|
||||||
if res:
|
|
||||||
if _uid_cache.has_key(db):
|
|
||||||
ulist = _uid_cache[db]
|
|
||||||
ulist[uid] = passwd
|
|
||||||
else:
|
|
||||||
_uid_cache[db] = {uid:passwd}
|
|
||||||
return bool(res)
|
|
||||||
|
|
||||||
def access(db, uid, passwd, sec_level, ids):
|
def access(db, uid, passwd, sec_level, ids):
|
||||||
if not passwd:
|
pool = pooler.get_pool(db)
|
||||||
return False
|
user_obj = pool.get('res.users')
|
||||||
cr = pooler.get_db(db).cursor()
|
return user_obj.access(db, uid, passwd, sec_level, ids)
|
||||||
cr.execute('select id from res_users where id=%s and password=%s', (uid, passwd))
|
|
||||||
res = cr.fetchone()
|
|
||||||
cr.close()
|
|
||||||
if not res:
|
|
||||||
raise ExceptionNoTb('Bad username or password')
|
|
||||||
return res[0]
|
|
||||||
|
|
||||||
|
|
||||||
# vim:expandtab:smartindent:tabstop=4:softtabstop=4:shiftwidth=4:
|
# vim:expandtab:smartindent:tabstop=4:softtabstop=4:shiftwidth=4:
|
||||||
|
|
Loading…
Reference in New Issue