odoo
/
odoo
2
0
Fork 0
Code Pull Requests Releases Activity

[FIX] base, auth_openid: wrong implementation of API by auth_openid 

Authentication modules are supposed to override res_users.check_credentials()
in order to plug in their own mechanism, without actually modifying the
behavior of res_users.check(), res_users.authenticate() or
res_users._login().

auth_openid was incorrectly overriding check() instead of
check_credentials(), and unnecessarily accessing private
attributes of res_users. Fixing the implementation of auth_openid
to follow the API means we can completely make those attributes
private.
This commit is contained in:
Olivier Dony 2015-08-04 12:08:24 +02:00
parent d8d9c7277e
commit 54e06907c0
2 changed files with 18 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
addons/auth_openid/res_users.py
View File

@ -63,24 +63,17 @@ class res_users(osv.osv):
cr.commit()
return res[0] if res else False
def check(self, db, uid, passwd):
def check_credentials(self, cr, uid, password):
try:
return super(res_users, self).check(db, uid, passwd)
return super(res_users, self).check_credentials(cr, uid, password)
except openerp.exceptions.AccessDenied:
if not passwd:
cr.execute('''SELECT COUNT(1)
FROM res_users
WHERE id=%s
AND openid_key=%s
AND active=%s''',
(int(uid), passwd, True))
if not cr.fetchone()[0]:
raise
with RegistryManager.get(db).cursor() as cr:
cr.execute('''SELECT COUNT(1)
FROM res_users
WHERE id=%s
AND openid_key=%s
AND active=%s''',
(int(uid), passwd, True))
if not cr.fetchone()[0]:
raise
self._uid_cache.setdefault(db, {})[uid] = passwd
# vim:expandtab:smartindent:tabstop=4:softtabstop=4:shiftwidth=4:

21
openerp/addons/base/res/res_users.py
View File

@ -142,7 +142,7 @@ class res_users(osv.osv):
avatar, ... The user model is now dedicated to technical data.
"""
__admin_ids = {}
_uid_cache = {}
__uid_cache = {}
_inherits = {
'res.partner': 'partner_id',
}
@ -341,10 +341,10 @@ class res_users(osv.osv):
clear = partial(self.pool['ir.rule'].clear_cache, cr)
map(clear, ids)
db = cr.dbname
if db in self._uid_cache:
if db in self.__uid_cache:
for id in ids:
if id in self._uid_cache[db]:
del self._uid_cache[db][id]
if id in self.__uid_cache[db]:
del self.__uid_cache[db][id]
self._context_get.clear_cache(self)
self.has_group.clear_cache(self)
return res
@ -353,10 +353,10 @@ class res_users(osv.osv):
if 1 in ids:
raise osv.except_osv(_('Can not remove root user!'), _('You can not remove the admin user as it is used internally for resources created by Odoo (updates, module installation, ...)'))
db = cr.dbname
if db in self._uid_cache:
if db in self.__uid_cache:
for id in ids:
if id in self._uid_cache[db]:
del self._uid_cache[db][id]
if id in self.__uid_cache[db]:
del self.__uid_cache[db][id]
return super(res_users, self).unlink(cr, uid, ids, context=context)
def name_search(self, cr, user, name='', args=None, operator='ilike', context=None, limit=100):
@ -495,15 +495,12 @@ class res_users(osv.osv):
if not passwd:
# empty passwords disallowed for obvious security reasons
raise openerp.exceptions.AccessDenied()
if self._uid_cache.get(db, {}).get(uid) == passwd:
if self.__uid_cache.setdefault(db, {}).get(uid) == passwd:
return
cr = self.pool.cursor()
try:
self.check_credentials(cr, uid, passwd)
if self._uid_cache.has_key(db):
self._uid_cache[db][uid] = passwd
else:
self._uid_cache[db] = {uid:passwd}
self.__uid_cache[db][uid] = passwd
finally:
cr.close()