[FIX] auth_crypt: encrypt all passwords at installation

When `base_crypt` was updated for v7, the auto-encryption at installation was dropped, with user passwords only encrypted on-demand whenever the user would connect. It is important to encrypt all passwords immediately to prevent password compromission for user who do not login often or even for deactivated users who are not allowed to login anymore. Fixes https://bugs.launchpad.net/openobject-addons/+bug/1280152 Based on LP merge proposal by Nicolas Bessi (Camptocamp): https://code.launchpad.net/~camptocamp/openobject-addons/improve_auth_crypt_3_please_launchpad_work-nbi/+merge/206476
2014-06-18 15:22:44 +02:00 · 2014-06-18 15:22:44 +02:00 · f29ff5ef70
parent 86b80cf95e
commit f29ff5ef70
1 changed files with 15 additions and 5 deletions
--- a/addons/auth_crypt/auth_crypt.py
+++ b/addons/auth_crypt/auth_crypt.py
@ -117,10 +117,22 @@ def sh256crypt(cls, password, salt, magic=magic_sha256):
 class res_users(osv.osv):
    _inherit = "res.users"

+    def init(self, cr):
+        """Encrypt all passwords at module installation"""
+        cr.execute("SELECT id, password FROM res_users WHERE password IS NOT NULL and password != ''")
+        for user in cr.fetchall():
+            self._set_encrypted_password(cr, user[0], user[1])
+
+    def _set_encrypted_password(self, cr, uid, plain_password):
+        """Set an encrypted password for a given user"""
+        salt = gen_salt()
+        stored_password_crypt = md5crypt(plain_password, salt)
+        cr.execute("UPDATE res_users SET password = '', password_crypt = %s WHERE id = %s",
+                   (stored_password_crypt, uid))
+
    def set_pw(self, cr, uid, id, name, value, args, context):
        if value:
-            encrypted = md5crypt(value, gen_salt())
-            cr.execute("update res_users set password='', password_crypt=%s where id=%s", (encrypted, id))
+            self._set_encrypted_password(cr, id, value)
        del value

    def get_pw( self, cr, uid, ids, name, args, context ):
@ -144,9 +156,7 @@ class res_users(osv.osv):
        if cr.rowcount:
            stored_password, stored_password_crypt = cr.fetchone()
            if stored_password and not stored_password_crypt:
-                salt = gen_salt()
-                stored_password_crypt = md5crypt(stored_password, salt)
-                cr.execute("UPDATE res_users SET password='', password_crypt=%s WHERE id=%s", (stored_password_crypt, uid))
+                self._set_encrypted_password(cr, uid, stored_password)
        try:
            return super(res_users, self).check_credentials(cr, uid, password)
        except openerp.exceptions.AccessDenied: