[FIX] base_crypt: double-check to prevent blank passwords

bzr revid: odo@openerp.com-20110428155111-ut91pv47u7blya3q
2011-04-28 17:51:11 +02:00 · 2011-04-28 17:51:11 +02:00 · 59f6cc2b09
parent 00c65ea9a7
commit 59f6cc2b09
1 changed files with 4 additions and 0 deletions
--- a/addons/base_crypt/crypt.py
+++ b/addons/base_crypt/crypt.py
@ -220,6 +220,10 @@ class users(osv.osv):
            return False

    def check(self, db, uid, passwd):
+        if not passwd:
+            # empty passwords disallowed for obvious security reasons
+            raise security.ExceptionNoTb('AccessDenied')
+
        # Get a chance to hash all passwords in db before using the uid_cache.
        obj = pooler.get_pool(db).get('res.users')
        if not hasattr(obj, "_salt_cache"):