Browse Source

[FIX] auth_brute_force: Avoid storing false login attempts (https://github.com/OCA/server-tools/pull/1258)

In Odoo v9, every request calls `res.users.check()`, which stores one authentication attempt per request, which is false.

Besides, it easily leads to hitting ip-api.com rate limits, so now that API is only asked when seeing in form view (simply by setting the computed field as not stored).

Also, form view was hidden, so it's now visible.
pull/1265/head
Jairo Llopis 7 years ago
parent
commit
8f362e20c1
  1. 2
      auth_brute_force/__manifest__.py
  2. 1
      auth_brute_force/models/res_authentication_attempt.py
  3. 5
      auth_brute_force/models/res_users.py
  4. 2
      auth_brute_force/views/action.xml

2
auth_brute_force/__manifest__.py

@ -4,7 +4,7 @@
# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html). # License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
{ {
'name': 'Authentification - Brute-Force Filter', 'name': 'Authentification - Brute-Force Filter',
'version': '10.0.2.1.1',
'version': '10.0.2.2.0',
'category': 'Tools', 'category': 'Tools',
'summary': "Track Authentication Attempts and Prevent Brute-force Attacks", 'summary': "Track Authentication Attempts and Prevent Brute-force Attacks",
'author': "GRAP, " 'author': "GRAP, "

1
auth_brute_force/models/res_authentication_attempt.py

@ -30,7 +30,6 @@ class ResAuthenticationAttempt(models.Model):
remote_metadata = fields.Text( remote_metadata = fields.Text(
string="Remote IP metadata", string="Remote IP metadata",
compute='_compute_metadata', compute='_compute_metadata',
store=True,
help="Metadata publicly available for remote IP", help="Metadata publicly available for remote IP",
) )
whitelisted = fields.Boolean( whitelisted = fields.Boolean(

5
auth_brute_force/models/res_users.py

@ -123,11 +123,6 @@ class ResUsers(models.Model):
db, login, password, user_agent_env), db, login, password, user_agent_env),
) )
@classmethod
def check(cls, db, uid, passwd):
with cls._auth_attempt(uid):
return super(ResUsers, cls).check(db, uid, passwd)
@api.model @api.model
def check_credentials(self, password): def check_credentials(self, password):
"""This is the most important and specific auth check method. """This is the most important and specific auth check method.

2
auth_brute_force/views/action.xml

@ -7,7 +7,7 @@
<field name="name">Authentication Attempts</field> <field name="name">Authentication Attempts</field>
<field name="res_model">res.authentication.attempt</field> <field name="res_model">res.authentication.attempt</field>
<field name="view_type">form</field> <field name="view_type">form</field>
<field name="view_mode">tree,graph</field>
<field name="view_mode">tree,form,graph</field>
<field name="context">{"search_default_filter_no_success":1}</field> <field name="context">{"search_default_filter_no_success":1}</field>
</record> </record>

Loading…
Cancel
Save