[FIX] res_users: check() must raise when access is denied!
lp bug: https://launchpad.net/bugs/760301 fixed bzr revid: odo@openerp.com-20110428153901-0msblcxirkgskmsl
This commit is contained in:
parent
d1326f8695
commit
baa9d24adf
|
@ -458,24 +458,25 @@ class users(osv.osv):
|
|||
raise security.ExceptionNoTb('AccessDenied')
|
||||
|
||||
def check(self, db, uid, passwd):
|
||||
"""Verifies that the given (uid, password) pair is authorized for the database ``db`` and
|
||||
raise an exception if it is not."""
|
||||
if not passwd:
|
||||
return False
|
||||
# empty passwords disallowed for obvious security reasons
|
||||
raise security.ExceptionNoTb('AccessDenied')
|
||||
if self._uid_cache.get(db, {}).get(uid) == passwd:
|
||||
return True
|
||||
return
|
||||
cr = pooler.get_db(db).cursor()
|
||||
try:
|
||||
cr.execute('SELECT COUNT(1) FROM res_users WHERE id=%s AND password=%s AND active=%s',
|
||||
(int(uid), passwd, True))
|
||||
res = cr.fetchone()[0]
|
||||
if not bool(res):
|
||||
if not res:
|
||||
raise security.ExceptionNoTb('AccessDenied')
|
||||
if res:
|
||||
if self._uid_cache.has_key(db):
|
||||
ulist = self._uid_cache[db]
|
||||
ulist[uid] = passwd
|
||||
else:
|
||||
self._uid_cache[db] = {uid:passwd}
|
||||
return bool(res)
|
||||
if self._uid_cache.has_key(db):
|
||||
ulist = self._uid_cache[db]
|
||||
ulist[uid] = passwd
|
||||
else:
|
||||
self._uid_cache[db] = {uid:passwd}
|
||||
finally:
|
||||
cr.close()
|
||||
|
||||
|
@ -604,4 +605,4 @@ class res_config_view(osv.osv_memory):
|
|||
|
||||
res_config_view()
|
||||
|
||||
# vim:expandtab:smartindent:tabstop=4:softtabstop=4:shiftwidth=4:
|
||||
# vim:expandtab:smartindent:tabstop=4:softtabstop=4:shiftwidth=4:
|
||||
|
|
Loading…
Reference in New Issue