From 77868ec4f978914cc0f632c27c74d9bb6bf18515 Mon Sep 17 00:00:00 2001 From: Olivier Dony Date: Tue, 4 Aug 2015 12:08:24 +0200 Subject: [PATCH] [FIX] base, auth_openid: wrong implementation of API by auth_openid Authentication modules are supposed to override res_users.check_credentials() in order to plug in their own mechanism, without actually modifying the behavior of res_users.check(), res_users.authenticate() or res_users._login(). auth_openid was incorrectly overriding check() instead of check_credentials(), and unnecessarily accessing private attributes of res_users. Fixing the implementation of auth_openid to follow the API means we can completely make those attributes private. --- addons/auth_openid/res_users.py | 22 +++++++++------------- openerp/addons/base/res/res_users.py | 21 +++++++++------------ 2 files changed, 18 insertions(+), 25 deletions(-) diff --git a/addons/auth_openid/res_users.py b/addons/auth_openid/res_users.py index 79d86a1bac3..da99747fea4 100644 --- a/addons/auth_openid/res_users.py +++ b/addons/auth_openid/res_users.py @@ -73,22 +73,18 @@ class res_users(osv.osv): cr.commit() return res[0] if res else False - def check(self, db, uid, passwd): + def check_credentials(self, cr, uid, password): try: - return super(res_users, self).check(db, uid, passwd) + return super(res_users, self).check_credentials(cr, uid, password) except openerp.exceptions.AccessDenied: - if not passwd: + cr.execute('''SELECT COUNT(1) + FROM res_users + WHERE id=%s + AND openid_key=%s + AND active=%s''', + (int(uid), passwd, True)) + if not cr.fetchone()[0]: raise - with RegistryManager.get(db).cursor() as cr: - cr.execute('''SELECT COUNT(1) - FROM res_users - WHERE id=%s - AND openid_key=%s - AND active=%s''', - (int(uid), passwd, True)) - if not cr.fetchone()[0]: - raise - self._uid_cache.setdefault(db, {})[uid] = passwd res_users() diff --git a/openerp/addons/base/res/res_users.py b/openerp/addons/base/res/res_users.py index c678deff47f..ece49258f44 100644 --- a/openerp/addons/base/res/res_users.py +++ b/openerp/addons/base/res/res_users.py @@ -136,7 +136,7 @@ class res_users(osv.osv): avatar, ... The user model is now dedicated to technical data. """ __admin_ids = {} - _uid_cache = {} + __uid_cache = {} _inherits = { 'res.partner': 'partner_id', } @@ -336,10 +336,10 @@ class res_users(osv.osv): clear = partial(self.pool.get('ir.rule').clear_cache, cr) map(clear, ids) db = cr.dbname - if db in self._uid_cache: + if db in self.__uid_cache: for id in ids: - if id in self._uid_cache[db]: - del self._uid_cache[db][id] + if id in self.__uid_cache[db]: + del self.__uid_cache[db][id] self.context_get.clear_cache(self) return res @@ -347,10 +347,10 @@ class res_users(osv.osv): if 1 in ids: raise osv.except_osv(_('Can not remove root user!'), _('You can not remove the admin user as it is used internally for resources created by OpenERP (updates, module installation, ...)')) db = cr.dbname - if db in self._uid_cache: + if db in self.__uid_cache: for id in ids: - if id in self._uid_cache[db]: - del self._uid_cache[db][id] + if id in self.__uid_cache[db]: + del self.__uid_cache[db][id] return super(res_users, self).unlink(cr, uid, ids, context=context) def name_search(self, cr, user, name='', args=None, operator='ilike', context=None, limit=100): @@ -491,15 +491,12 @@ class res_users(osv.osv): if not passwd: # empty passwords disallowed for obvious security reasons raise openerp.exceptions.AccessDenied() - if self._uid_cache.get(db, {}).get(uid) == passwd: + if self.__uid_cache.setdefault(db, {}).get(uid) == passwd: return cr = pooler.get_db(db).cursor() try: self.check_credentials(cr, uid, passwd) - if self._uid_cache.has_key(db): - self._uid_cache[db][uid] = passwd - else: - self._uid_cache[db] = {uid:passwd} + self.__uid_cache[db][uid] = passwd finally: cr.close()