odoo
/
odoo
2
0
Fork 0
Code Pull Requests Releases Activity

[FIX] base, auth_openid: wrong implementation of API by auth_openid 

Authentication modules are supposed to override res_users.check_credentials()
in order to plug in their own mechanism, without actually modifying the
behavior of res_users.check(), res_users.authenticate() or
res_users._login().

auth_openid was incorrectly overriding check() instead of
check_credentials(), and unnecessarily accessing private
attributes of res_users. Fixing the implementation of auth_openid
to follow the API means we can completely make those attributes
private.
This commit is contained in:
Olivier Dony 2015-08-04 12:08:24 +02:00
parent d2d81ca9d8
commit 77868ec4f9
2 changed files with 18 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
addons/auth_openid/res_users.py
View File

@ -73,22 +73,18 @@ class res_users(osv.osv):
cr.commit() cr.commit()
return res[0] if res else False return res[0] if res else False
def check(self, db, uid, passwd): def check_credentials(self, cr, uid, password):
try: try:
return super(res_users, self).check(db, uid, passwd) return super(res_users, self).check_credentials(cr, uid, password)
except openerp.exceptions.AccessDenied: except openerp.exceptions.AccessDenied:
if not passwd: cr.execute('''SELECT COUNT(1)
FROM res_users
WHERE id=%s
AND openid_key=%s
AND active=%s''',
(int(uid), passwd, True))
if not cr.fetchone()[0]:
raise raise
with RegistryManager.get(db).cursor() as cr:
cr.execute('''SELECT COUNT(1)
FROM res_users
WHERE id=%s
AND openid_key=%s
AND active=%s''',
(int(uid), passwd, True))
if not cr.fetchone()[0]:
raise
self._uid_cache.setdefault(db, {})[uid] = passwd
res_users() res_users()

21
openerp/addons/base/res/res_users.py
View File

@ -136,7 +136,7 @@ class res_users(osv.osv):
avatar, ... The user model is now dedicated to technical data. avatar, ... The user model is now dedicated to technical data.
""" """
__admin_ids = {} __admin_ids = {}
_uid_cache = {} __uid_cache = {}
_inherits = { _inherits = {
'res.partner': 'partner_id', 'res.partner': 'partner_id',
} }
@ -336,10 +336,10 @@ class res_users(osv.osv):
clear = partial(self.pool.get('ir.rule').clear_cache, cr) clear = partial(self.pool.get('ir.rule').clear_cache, cr)
map(clear, ids) map(clear, ids)
db = cr.dbname db = cr.dbname
if db in self._uid_cache: if db in self.__uid_cache:
for id in ids: for id in ids:
if id in self._uid_cache[db]: if id in self.__uid_cache[db]:
del self._uid_cache[db][id] del self.__uid_cache[db][id]
self.context_get.clear_cache(self) self.context_get.clear_cache(self)
return res return res
@ -347,10 +347,10 @@ class res_users(osv.osv):
if 1 in ids: if 1 in ids:
raise osv.except_osv(_('Can not remove root user!'), _('You can not remove the admin user as it is used internally for resources created by OpenERP (updates, module installation, ...)')) raise osv.except_osv(_('Can not remove root user!'), _('You can not remove the admin user as it is used internally for resources created by OpenERP (updates, module installation, ...)'))
db = cr.dbname db = cr.dbname
if db in self._uid_cache: if db in self.__uid_cache:
for id in ids: for id in ids:
if id in self._uid_cache[db]: if id in self.__uid_cache[db]:
del self._uid_cache[db][id] del self.__uid_cache[db][id]
return super(res_users, self).unlink(cr, uid, ids, context=context) return super(res_users, self).unlink(cr, uid, ids, context=context)
def name_search(self, cr, user, name='', args=None, operator='ilike', context=None, limit=100): def name_search(self, cr, user, name='', args=None, operator='ilike', context=None, limit=100):
@ -491,15 +491,12 @@ class res_users(osv.osv):
if not passwd: if not passwd:
# empty passwords disallowed for obvious security reasons # empty passwords disallowed for obvious security reasons
raise openerp.exceptions.AccessDenied() raise openerp.exceptions.AccessDenied()
if self._uid_cache.get(db, {}).get(uid) == passwd: if self.__uid_cache.setdefault(db, {}).get(uid) == passwd:
return return
cr = pooler.get_db(db).cursor() cr = pooler.get_db(db).cursor()
try: try:
self.check_credentials(cr, uid, passwd) self.check_credentials(cr, uid, passwd)
if self._uid_cache.has_key(db): self.__uid_cache[db][uid] = passwd
self._uid_cache[db][uid] = passwd
else:
self._uid_cache[db] = {uid:passwd}
finally: finally:
cr.close() cr.close()