From baa9d24adfa64cb33379980d16e920ad41cc99f3 Mon Sep 17 00:00:00 2001 From: Olivier Dony Date: Thu, 28 Apr 2011 17:39:01 +0200 Subject: [PATCH] [FIX] res_users: check() must raise when access is denied! lp bug: https://launchpad.net/bugs/760301 fixed bzr revid: odo@openerp.com-20110428153901-0msblcxirkgskmsl --- bin/addons/base/res/res_user.py | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/bin/addons/base/res/res_user.py b/bin/addons/base/res/res_user.py index 261ec699659..7bf3674adc3 100644 --- a/bin/addons/base/res/res_user.py +++ b/bin/addons/base/res/res_user.py @@ -458,24 +458,25 @@ class users(osv.osv): raise security.ExceptionNoTb('AccessDenied') def check(self, db, uid, passwd): + """Verifies that the given (uid, password) pair is authorized for the database ``db`` and + raise an exception if it is not.""" if not passwd: - return False + # empty passwords disallowed for obvious security reasons + raise security.ExceptionNoTb('AccessDenied') if self._uid_cache.get(db, {}).get(uid) == passwd: - return True + return cr = pooler.get_db(db).cursor() try: cr.execute('SELECT COUNT(1) FROM res_users WHERE id=%s AND password=%s AND active=%s', (int(uid), passwd, True)) res = cr.fetchone()[0] - if not bool(res): + if not res: raise security.ExceptionNoTb('AccessDenied') - if res: - if self._uid_cache.has_key(db): - ulist = self._uid_cache[db] - ulist[uid] = passwd - else: - self._uid_cache[db] = {uid:passwd} - return bool(res) + if self._uid_cache.has_key(db): + ulist = self._uid_cache[db] + ulist[uid] = passwd + else: + self._uid_cache[db] = {uid:passwd} finally: cr.close() @@ -604,4 +605,4 @@ class res_config_view(osv.osv_memory): res_config_view() -# vim:expandtab:smartindent:tabstop=4:softtabstop=4:shiftwidth=4: \ No newline at end of file +# vim:expandtab:smartindent:tabstop=4:softtabstop=4:shiftwidth=4: