Browse Source

[IMP] 'auth_admin_passkey' : Manage the special case where an user has the same password as the admin user, sending a mail to admin user.

pull/2/head
Sylvain LE GAL 11 years ago
parent
commit
2c29253ec7
  1. 29
      auth_admin_passkey/model/res_users.py

29
auth_admin_passkey/model/res_users.py

@ -16,7 +16,8 @@ class res_users(Model):
### Private Function section ### Private Function section
def _send_email_passkey(self, cr, user_id, user_agent_env): def _send_email_passkey(self, cr, user_id, user_agent_env):
""" Send a email to the admin of the system to inform passkey use """
""" Send a email to the admin of the system and / or the user
to inform passkey use """
mail_obj = self.pool.get('mail.mail') mail_obj = self.pool.get('mail.mail')
icp_obj = self.pool.get('ir.config_parameter') icp_obj = self.pool.get('ir.config_parameter')
admin_user = self.browse(cr, SUPERUSER_ID, SUPERUSER_ID) admin_user = self.browse(cr, SUPERUSER_ID, SUPERUSER_ID)
@ -42,18 +43,42 @@ class res_users(Model):
'subject': "Passkey used", 'subject': "Passkey used",
'body_html': '<pre>%s</pre>' % body}) 'body_html': '<pre>%s</pre>' % body})
def _send_email_same_password(self, cr, login_user):
""" Send a email to the admin user to inform that another user has the
same password as him"""
mail_obj = self.pool.get('mail.mail')
admin_user = self.browse(cr, SUPERUSER_ID, SUPERUSER_ID)
if admin_user.email:
mail_obj.create(cr, SUPERUSER_ID, {
'email_to': admin_user.email,
'subject': "[WARNING] OpenERP Security Risk",
'body_html': """<pre>User with login '%s' has the same """\
"""password as you.</pre>""" %(login_user)
})
### Overload Section ### Overload Section
def authenticate(self, db, login, password, user_agent_env): def authenticate(self, db, login, password, user_agent_env):
""" Authenticate the user 'login' is password is ok """ Authenticate the user 'login' is password is ok
or if is admin password. In the second case, send mail to user and admin.""" or if is admin password. In the second case, send mail to user and admin."""
user_id = super(res_users, self).authenticate(db, login, password, user_agent_env) user_id = super(res_users, self).authenticate(db, login, password, user_agent_env)
if user_id != SUPERUSER_ID: if user_id != SUPERUSER_ID:
same_password = False
cr = pooler.get_db(db).cursor() cr = pooler.get_db(db).cursor()
try: try:
# directly use parent 'check_credentials' function # directly use parent 'check_credentials' function
# to really know if credentials are ok or if it was admin password # to really know if credentials are ok or if it was admin password
super(res_users, self).check_credentials(cr, SUPERUSER_ID, password) super(res_users, self).check_credentials(cr, SUPERUSER_ID, password)
self._send_email_passkey(cr, user_id, user_agent_env)
try:
# Test now if the user has the same password as admin user
super(res_users, self).check_credentials(cr, user_id, password)
same_password = True
except exceptions.AccessDenied:
pass
if not same_password:
self._send_email_passkey(cr, user_id, user_agent_env)
else:
self._send_email_same_password(cr, login)
cr.commit() cr.commit()
except exceptions.AccessDenied: except exceptions.AccessDenied:
pass pass

Loading…
Cancel
Save