PR commit

7 years ago · 74fcce91ee
3 changed files with 19 additions and 22 deletions
--- a/auth_totp/controllers/main.py
+++ b/auth_totp/controllers/main.py
@ -42,18 +42,18 @@ class AuthTotp(Home):

    @http.route('/auth_totp/login', type='http', auth='none', methods=['POST'])
    def mfa_login_post(self, *args, **kwargs):
-        """Process MFA login attempt
+        """Process MFA login attempt.

        Overview:
            * Identify current user based on login in session. If this doesn't
-              work, redirect to the password login page with an error message
+              work, redirect to the password login page with an error message.
            * Validate the confirmation code provided by the user. If it's not
-              valid, redirect to the previous login step with an error message
+              valid, redirect to the previous login step with an error message.
            * Update the session to indicate that the MFA login process for
-              this user is complete and attempt password authentication again
+              this user is complete and attempt password authentication again.
            * Build a trusted device cookie and add it to the response if the
-              trusted device option was checked
-            * Redirect to the provided URL or to '/web' if one was not given
+              trusted device option was checked.
+            * Redirect to the provided URL or to '/web' if one was not given.
        """

        # sudo() is required because there is no request.env.uid (likely since
--- a/auth_totp/migrations/10.0.2.0.0/post-migrate.py
+++ b/auth_totp/migrations/10.0.2.0.0/post-migrate.py
@ -2,18 +2,18 @@
 # Copyright 2017 LasLabs Inc.
 # License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).

-import uuid
+from uuid import uuid4
 from odoo import api, SUPERUSER_ID


 def migrate(cr, version):
-    """Generate cookie keys for all users with MFA enabled and clean up"""
+    """Generate cookie keys for all users with MFA enabled and clean up."""
    env = api.Environment(cr, SUPERUSER_ID, {})
    user_model = env['res.users'].with_context(active_test=False)
    mfa_users = user_model.search([('mfa_enabled', '=', True)])

    for mfa_user in mfa_users:
-        mfa_user.trusted_device_cookie_key = uuid.uuid4()
+        mfa_user.trusted_device_cookie_key = uuid4()

    # Clean up ir records for device model to prevent warnings
    removed_model = 'res.users.device'
--- a/auth_totp/models/res_users.py
+++ b/auth_totp/models/res_users.py
@ -2,7 +2,7 @@
 # Copyright 2016-2017 LasLabs Inc.
 # License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).

-import uuid
+from uuid import uuid4
 from odoo import _, api, fields, models
 from odoo.exceptions import ValidationError
 from odoo.http import request
@ -39,7 +39,7 @@ class ResUsers(models.Model):
    def _compute_trusted_device_cookie_key(self):
        for record in self:
            if record.mfa_enabled:
-                record.trusted_device_cookie_key = uuid.uuid4()
+                record.trusted_device_cookie_key = uuid4()
            else:
                record.trusted_device_cookie_key = False

@ -56,30 +56,27 @@ class ResUsers(models.Model):

    @api.model
    def check_credentials(self, password):
-        """Add MFA logic to core authentication process
+        """Add MFA logic to core authentication process.

        Overview:
-            * If user does not have MFA enabled, defer to parent logic
+            * If user does not have MFA enabled, defer to parent logic.
            * If user has MFA enabled and has gone through MFA login process
-              this session or has correct device cookie, defer to parent logic
+              this session or has correct device cookie, defer to parent logic.
            * If neither of these is true, call parent logic. If successful,
              prevent auth while updating session to indicate that MFA login
-              process can now commence
+              process can now commence.
        """
-        user_model_sudo = self.sudo()
-        user = user_model_sudo.search([('id', '=', self.env.uid)])
-
-        if not user.mfa_enabled:
+        if not self.env.user.mfa_enabled:
            return super(ResUsers, self).check_credentials(password)

        if request:
-            if request.session.get('mfa_login_active') == user.id:
+            if request.session.get('mfa_login_active') == self.env.uid:
                return super(ResUsers, self).check_credentials(password)

-            cookie_key = 'trusted_devices_%d' % user.id
+            cookie_key = 'trusted_devices_%d' % self.env.uid
            device_cook = request.httprequest.cookies.get(cookie_key)
            if device_cook:
-                secret = user.trusted_device_cookie_key
+                secret = self.env.user.trusted_device_cookie_key
                device_cook = JsonSecureCookie.unserialize(device_cook, secret)
                if device_cook:
                    return super(ResUsers, self).check_credentials(password)