[FIX] auth_crypt: encrypt all passwords at installation
When `base_crypt` was updated for v7, the auto-encryption at installation was dropped, with user passwords only encrypted on-demand whenever the user would connect. It is important to encrypt all passwords immediately to prevent password compromission for user who do not login often or even for deactivated users who are not allowed to login anymore. Fixes https://bugs.launchpad.net/openobject-addons/+bug/1280152 Based on LP merge proposal by Nicolas Bessi (Camptocamp): https://code.launchpad.net/~camptocamp/openobject-addons/improve_auth_crypt_3_please_launchpad_work-nbi/+merge/206476
This commit is contained in:
parent
86b80cf95e
commit
f29ff5ef70
|
@ -117,10 +117,22 @@ def sh256crypt(cls, password, salt, magic=magic_sha256):
|
|||
class res_users(osv.osv):
|
||||
_inherit = "res.users"
|
||||
|
||||
def init(self, cr):
|
||||
"""Encrypt all passwords at module installation"""
|
||||
cr.execute("SELECT id, password FROM res_users WHERE password IS NOT NULL and password != ''")
|
||||
for user in cr.fetchall():
|
||||
self._set_encrypted_password(cr, user[0], user[1])
|
||||
|
||||
def _set_encrypted_password(self, cr, uid, plain_password):
|
||||
"""Set an encrypted password for a given user"""
|
||||
salt = gen_salt()
|
||||
stored_password_crypt = md5crypt(plain_password, salt)
|
||||
cr.execute("UPDATE res_users SET password = '', password_crypt = %s WHERE id = %s",
|
||||
(stored_password_crypt, uid))
|
||||
|
||||
def set_pw(self, cr, uid, id, name, value, args, context):
|
||||
if value:
|
||||
encrypted = md5crypt(value, gen_salt())
|
||||
cr.execute("update res_users set password='', password_crypt=%s where id=%s", (encrypted, id))
|
||||
self._set_encrypted_password(cr, id, value)
|
||||
del value
|
||||
|
||||
def get_pw( self, cr, uid, ids, name, args, context ):
|
||||
|
@ -144,9 +156,7 @@ class res_users(osv.osv):
|
|||
if cr.rowcount:
|
||||
stored_password, stored_password_crypt = cr.fetchone()
|
||||
if stored_password and not stored_password_crypt:
|
||||
salt = gen_salt()
|
||||
stored_password_crypt = md5crypt(stored_password, salt)
|
||||
cr.execute("UPDATE res_users SET password='', password_crypt=%s WHERE id=%s", (stored_password_crypt, uid))
|
||||
self._set_encrypted_password(cr, uid, stored_password)
|
||||
try:
|
||||
return super(res_users, self).check_credentials(cr, uid, password)
|
||||
except openerp.exceptions.AccessDenied:
|
||||
|
|
Loading…
Reference in New Issue