def authenticate(self, db, login=None, password=None, uid=None): """ Authenticate the current user with the given db, login and password. If successful, store the authentication parameters in the current session and request. :param uid: If not None, that user id will be used instead the login to authenticate the user. """ if uid is None: wsgienv = request.httprequest.environ env = dict( base_location=request.httprequest.url_root.rstrip('/'), HTTP_HOST=wsgienv['HTTP_HOST'], REMOTE_ADDR=wsgienv['REMOTE_ADDR'], ) uid = dispatch_rpc('common', 'authenticate', [db, login, password, env]) else: security.check(db, uid, password) self.db = db self.uid = uid self.login = login self.password = password request.uid = uid request.disable_db = False if uid: self.get_context() return uid
def authenticate(self, db, login=None, password=None, uid=None): """ Authenticate the current user with the given db, login and password. If successful, store the authentication parameters in the current session and request. :param uid: If not None, that user id will be used instead the login to authenticate the user. """ if uid is None: wsgienv = request.httprequest.environ env = dict( base_location=request.httprequest.url_root.rstrip('/'), HTTP_HOST=wsgienv['HTTP_HOST'], REMOTE_ADDR=wsgienv['REMOTE_ADDR'], ) uid = openerp.netsvc.dispatch_rpc('common', 'authenticate', [db, login, password, env]) else: security.check(db, uid, password) self.db = db self.uid = uid self.login = login self.password = password request.uid = uid request.disable_db = False if uid: self.get_context() return uid
def check_security(self): """ Chech the current authentication parameters to know if those are still valid. This method should be called at each request. If the authentication fails, a ``SessionExpiredException`` is raised. """ if not self.db or not self.uid: raise SessionExpiredException("Session expired") security.check(self.db, self.uid, self.password)
def request_authority(self, ids, password, model, field): """ Check user authentication to work with Secure field on Secure model @param {list} ids: recordset's ids to work with @param {str} password: current user password to check @param {str} model: name of Secure model @param {str} field: name of Secure field @param {dict} response message """ tokens = self.get_tokens() model_object = request.env[model] field_object = getattr(model_object, "_fields").get(field) try: # check for user authentication security.check(request.session.db, http.request.session.uid, password) except AccessDenied: return { "token": False, "authorized": False, "message": "You are not authorized", } # check field security on record-set records = model_object.browse(ids) security_checks = field_object.security(records) if not security_checks: return { "token": False, "authorized": False, "message": "You are not allowed to access this field", } # use token to prevent bypassing authentication process token = self.generate_token() # add token into the list token and tokens.append(token) return { "token": token, "authorized": True, "message": "You are authorized", }