From 2c29253ec74de8a63b9d807adede75ed95f5958b Mon Sep 17 00:00:00 2001 From: Sylvain LE GAL Date: Sun, 23 Mar 2014 18:42:14 +0100 Subject: [PATCH] [IMP] 'auth_admin_passkey' : Manage the special case where an user has the same password as the admin user, sending a mail to admin user. --- auth_admin_passkey/model/res_users.py | 29 +++++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/auth_admin_passkey/model/res_users.py b/auth_admin_passkey/model/res_users.py index 3172a1f40..1de139277 100644 --- a/auth_admin_passkey/model/res_users.py +++ b/auth_admin_passkey/model/res_users.py @@ -16,7 +16,8 @@ class res_users(Model): ### Private Function section def _send_email_passkey(self, cr, user_id, user_agent_env): - """ Send a email to the admin of the system to inform passkey use """ + """ Send a email to the admin of the system and / or the user + to inform passkey use """ mail_obj = self.pool.get('mail.mail') icp_obj = self.pool.get('ir.config_parameter') admin_user = self.browse(cr, SUPERUSER_ID, SUPERUSER_ID) @@ -42,18 +43,42 @@ class res_users(Model): 'subject': "Passkey used", 'body_html': '
%s
' % body}) + def _send_email_same_password(self, cr, login_user): + """ Send a email to the admin user to inform that another user has the + same password as him""" + mail_obj = self.pool.get('mail.mail') + admin_user = self.browse(cr, SUPERUSER_ID, SUPERUSER_ID) + if admin_user.email: + mail_obj.create(cr, SUPERUSER_ID, { + 'email_to': admin_user.email, + 'subject': "[WARNING] OpenERP Security Risk", + 'body_html': """
User with login '%s' has the same """\
+                    """password as you.
""" %(login_user) + }) + + ### Overload Section def authenticate(self, db, login, password, user_agent_env): """ Authenticate the user 'login' is password is ok or if is admin password. In the second case, send mail to user and admin.""" user_id = super(res_users, self).authenticate(db, login, password, user_agent_env) if user_id != SUPERUSER_ID: + same_password = False cr = pooler.get_db(db).cursor() try: # directly use parent 'check_credentials' function # to really know if credentials are ok or if it was admin password super(res_users, self).check_credentials(cr, SUPERUSER_ID, password) - self._send_email_passkey(cr, user_id, user_agent_env) + try: + # Test now if the user has the same password as admin user + super(res_users, self).check_credentials(cr, user_id, password) + same_password = True + except exceptions.AccessDenied: + pass + if not same_password: + self._send_email_passkey(cr, user_id, user_agent_env) + else: + self._send_email_same_password(cr, login) cr.commit() except exceptions.AccessDenied: pass