From f29ff5ef70fdf5035bee05ddb9e2bea33454fa0b Mon Sep 17 00:00:00 2001 From: Olivier Dony Date: Wed, 18 Jun 2014 15:22:44 +0200 Subject: [PATCH] [FIX] auth_crypt: encrypt all passwords at installation When `base_crypt` was updated for v7, the auto-encryption at installation was dropped, with user passwords only encrypted on-demand whenever the user would connect. It is important to encrypt all passwords immediately to prevent password compromission for user who do not login often or even for deactivated users who are not allowed to login anymore. Fixes https://bugs.launchpad.net/openobject-addons/+bug/1280152 Based on LP merge proposal by Nicolas Bessi (Camptocamp): https://code.launchpad.net/~camptocamp/openobject-addons/improve_auth_crypt_3_please_launchpad_work-nbi/+merge/206476 --- addons/auth_crypt/auth_crypt.py | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/addons/auth_crypt/auth_crypt.py b/addons/auth_crypt/auth_crypt.py index 4651d27fe7d..c5bd5799017 100644 --- a/addons/auth_crypt/auth_crypt.py +++ b/addons/auth_crypt/auth_crypt.py @@ -117,10 +117,22 @@ def sh256crypt(cls, password, salt, magic=magic_sha256): class res_users(osv.osv): _inherit = "res.users" + def init(self, cr): + """Encrypt all passwords at module installation""" + cr.execute("SELECT id, password FROM res_users WHERE password IS NOT NULL and password != ''") + for user in cr.fetchall(): + self._set_encrypted_password(cr, user[0], user[1]) + + def _set_encrypted_password(self, cr, uid, plain_password): + """Set an encrypted password for a given user""" + salt = gen_salt() + stored_password_crypt = md5crypt(plain_password, salt) + cr.execute("UPDATE res_users SET password = '', password_crypt = %s WHERE id = %s", + (stored_password_crypt, uid)) + def set_pw(self, cr, uid, id, name, value, args, context): if value: - encrypted = md5crypt(value, gen_salt()) - cr.execute("update res_users set password='', password_crypt=%s where id=%s", (encrypted, id)) + self._set_encrypted_password(cr, id, value) del value def get_pw( self, cr, uid, ids, name, args, context ): @@ -144,9 +156,7 @@ class res_users(osv.osv): if cr.rowcount: stored_password, stored_password_crypt = cr.fetchone() if stored_password and not stored_password_crypt: - salt = gen_salt() - stored_password_crypt = md5crypt(stored_password, salt) - cr.execute("UPDATE res_users SET password='', password_crypt=%s WHERE id=%s", (stored_password_crypt, uid)) + self._set_encrypted_password(cr, uid, stored_password) try: return super(res_users, self).check_credentials(cr, uid, password) except openerp.exceptions.AccessDenied: