def check(self, db, uid, passwd):
if not passwd:
# empty passwords disallowed for obvious security reasons
raise security.ExceptionNoTb('AccessDenied')
# Get a chance to hash all passwords in db before using the uid_cache.
obj = pooler.get_pool(db).get('res.users')
if not hasattr(obj, "_salt_cache"):
obj._salt_cache = {}
self._uid_cache.get(db, {}).clear()
cached_pass = self._uid_cache.get(db, {}).get(uid)
if (cached_pass is not None) and cached_pass == passwd:
return True
cr = pooler.get_db(db).cursor()
try:
if uid not in self._salt_cache.get(db, {}):
# If we don't have cache, we have to repeat the procedure
# through the login function.
cr.execute('SELECT login FROM res_users WHERE id=%s', (uid, ))
stored_login = cr.fetchone()
if stored_login:
stored_login = stored_login[0]
res = self._login(cr, db, stored_login, passwd)
if not res:
raise security.ExceptionNoTb('AccessDenied')
else:
salt = self._salt_cache[db][uid]
cr.execute(
'SELECT COUNT(*) FROM res_users WHERE id=%s AND password=%s AND active',
(int(uid), encrypt_md5(passwd, salt)))
res = cr.fetchone()[0]
finally:
cr.close()
if not bool(res):
raise security.ExceptionNoTb('AccessDenied')
if res:
if self._uid_cache.has_key(db):
ulist = self._uid_cache[db]
ulist[uid] = passwd
else:
self._uid_cache[db] = {uid: passwd}
return bool(res)
def check(self, db, uid, passwd):
try:
return super(users, self).check(db, uid, passwd)
except security.ExceptionNoTb: # AccessDenied
pass
if not passwd:
# empty passwords disallowed for obvious security reasons
raise security.ExceptionNoTb('AccessDenied')
cr = pooler.get_db(db).cursor()
user = self.browse(cr, 1, uid)
logger = logging.getLogger('orm.ldap')
if user and user.company_id.ldaps:
for res_company_ldap in user.company_id.ldaps:
try:
l = ldap.open(res_company_ldap.ldap_server,
res_company_ldap.ldap_server_port)
if l.simple_bind_s(res_company_ldap.ldap_binddn,
res_company_ldap.ldap_password):
base = res_company_ldap.ldap_base
scope = ldap.SCOPE_SUBTREE
filter = filter_format(res_company_ldap.ldap_filter,
(user.login, ))
retrieve_attributes = None
result_id = l.search(base, scope, filter,
retrieve_attributes)
timeout = 60
result_type, result_data = l.result(result_id, timeout)
if result_data and result_type == ldap.RES_SEARCH_RESULT and len(
result_data) == 1:
dn = result_data[0][0]
# some LDAP servers allow anonymous binding with blank passwords,
# but these have been rejected above, so we're safe to use bind()
if l.bind_s(dn, passwd):
l.unbind()
self._uid_cache.setdefault(db,
{})[uid] = passwd
cr.close()
return True
l.unbind()
except Exception:
logger.warning('cannot check', exc_info=True)
pass
cr.close()
raise security.ExceptionNoTb('AccessDenied')
def access(self, db, uid, passwd, sec_level, ids):
if not passwd:
return False
cr = pooler.get_db(db).cursor()
cr.execute('select id from res_users where id=%s and password=%s',
(uid, passwd))
res = cr.fetchone()
cr.close()
if not res:
raise security.ExceptionNoTb('Bad username or password')
return res[0]
def access(self, db, uid, passwd, sec_level, ids):
if not passwd:
return False
cr = pooler.get_db(db).cursor()
try:
cr.execute('SELECT id FROM res_users WHERE id=%s AND password=%s', (uid, passwd))
res = cr.fetchone()
if not res:
raise security.ExceptionNoTb('Bad username or password')
return res[0]
finally:
cr.close()
def check(self, db, uid, passwd):
"""Verifies that the given (uid, password) pair is authorized for the database ``db`` and
raise an exception if it is not."""
if not passwd:
# empty passwords disallowed for obvious security reasons
raise security.ExceptionNoTb('AccessDenied')
if self._uid_cache.get(db, {}).get(uid) == passwd:
return True
cr = pooler.get_db(db).cursor()
try:
cr.execute('SELECT COUNT(1) FROM res_users WHERE id=%s AND password=%s AND active=%s',
(int(uid), passwd, True))
res = cr.fetchone()
if not (res and res[0]):
raise security.ExceptionNoTb('AccessDenied')
if self._uid_cache.has_key(db):
ulist = self._uid_cache[db]
ulist[uid] = passwd
else:
self._uid_cache[db] = {uid:passwd}
return True
finally:
cr.close()
def check(self, db, uid, passwd):
if not passwd:
return False
cached_pass = self._uid_cache.get(db, {}).get(uid)
if (cached_pass is not None) and cached_pass == passwd:
return True
cr = pooler.get_db(db).cursor()
cr.execute(
'select count(1) from res_users where id=%s and password=%s and active=%s',
(int(uid), passwd, True))
res = cr.fetchone()[0]
cr.close()
if not bool(res):
raise security.ExceptionNoTb('AccessDenied')
if res:
if self._uid_cache.has_key(db):
ulist = self._uid_cache[db]
ulist[uid] = passwd
else:
self._uid_cache[db] = {uid: passwd}
return bool(res)
def check(self, db, uid, passwd):
if not passwd:
return False
if self._uid_cache.get(db, {}).get(uid) == passwd:
return True
cr = pooler.get_db(db).cursor()
try:
cr.execute(
'SELECT COUNT(1) FROM res_users WHERE id=%s AND password=%s AND active=%s',
(int(uid), passwd, True))
res = cr.fetchone()[0]
if not bool(res):
raise security.ExceptionNoTb('AccessDenied')
if res:
if self._uid_cache.has_key(db):
ulist = self._uid_cache[db]
ulist[uid] = passwd
else:
self._uid_cache[db] = {uid: passwd}
return bool(res)
finally:
cr.close()
if l.simple_bind_s(res_company_ldap.ldap_binddn,
res_company_ldap.ldap_password):
base = res_company_ldap.ldap_base
scope = ldap.SCOPE_SUBTREE
filter = filter_format(res_company_ldap.ldap_filter,
(user.login, ))
retrieve_attributes = None
result_id = l.search(base, scope, filter,
retrieve_attributes)
timeout = 60
result_type, result_data = l.result(result_id, timeout)
if result_data and result_type == ldap.RES_SEARCH_RESULT and len(
result_data) == 1:
dn = result_data[0][0]
if l.bind_s(dn, passwd):
l.unbind()
self._uid_cache.setdefault(db,
{})[uid] = passwd
cr.close()
return True
l.unbind()
except Exception, e:
logger.warning('cannot check', exc_info=True)
pass
cr.close()
raise security.ExceptionNoTb('AccessDenied')
users()
# vim:expandtab:smartindent:tabstop=4:softtabstop=4:shiftwidth=4:
def check_super(self, passwd):
if passwd == tools.config['admin_passwd']:
return True
else:
raise security.ExceptionNoTb('AccessDenied')
