Exemplo n.º 1
0
    def web_login(self, redirect=None, **kw):    
        ensure_db()

        if request.httprequest.method == 'GET' and redirect and request.session.uid:
            return http.redirect_with_hash(redirect)

        if not request.uid:
            request.uid = openerp.SUPERUSER_ID

        values = request.params.copy()
        if not redirect:
            redirect = '/web?' + request.httprequest.query_string
        values['redirect'] = redirect

        try:
            values['databases'] = http.db_list()
        except openerp.exceptions.AccessDenied:
            values['databases'] = None

        if request.httprequest.method == 'POST':
            old_uid = request.uid
            uid = request.session.authenticate(request.session.db, request.params['login'], request.params['password'])
            if uid is not False:
                return http.redirect_with_hash(redirect)
            request.uid = old_uid
            values['error'] = _("Please check your email address and password")
        if request.env.ref('web.login', False):
            return request.render('web.login', values)
        else:
            # probably not an odoo compatible database
            error = 'Unable to login on database %s' % request.session.db
            return werkzeug.utils.redirect('/web/database/selector?error=%s' % error, 303)
Exemplo n.º 2
0
    def web_login(self, redirect=None, **kw):    
        ensure_db()

        if request.httprequest.method == 'GET' and redirect and request.session.uid:
            return http.redirect_with_hash(redirect)

        if not request.uid:
            request.uid = openerp.SUPERUSER_ID

        values = request.params.copy()
        if not redirect:
            redirect = '/web?' + request.httprequest.query_string
        values['redirect'] = redirect

        try:
            values['databases'] = http.db_list()
        except openerp.exceptions.AccessDenied:
            values['databases'] = None

        if request.httprequest.method == 'POST':
            old_uid = request.uid
            uid = request.session.authenticate(request.session.db, request.params['login'], request.params['password'])
            if uid is not False:
                return http.redirect_with_hash(redirect)
            request.uid = old_uid
            values['error'] = _("Please check your email address and password")
        if request.env.ref('web.login', False):
            return request.render('web.login', values)
        else:
            # probably not an odoo compatible database
            error = 'Unable to login on database %s' % request.session.db
            return werkzeug.utils.redirect('/web/database/selector?error=%s' % error, 303)
Exemplo n.º 3
0
 def disconnect(self, **kw):
     redirect_uri = kw.get('redirect_uri', False)
     user_id = request.env['res.users'].search([('id', '=', request.uid)],
                                               limit=1)
     if len(user_id) > 0:
         user_id.fb_long_term_token = ''
     return http.redirect_with_hash(redirect_uri)
Exemplo n.º 4
0
 def web_login(self, redirect=None, *args, **kw):
     r = super(Website, self).web_login(redirect=redirect, *args, **kw)
     if request.params['login_success'] and not redirect:
         if request.registry['res.users'].has_group(request.cr, request.uid, 'base.group_user'):
             redirect = '/web?' + request.httprequest.query_string
         else:
             redirect = '/'
         return http.redirect_with_hash(redirect)
     return r
Exemplo n.º 5
0
 def web_login(self, redirect=None, *args, **kw):
     r = super(Website, self).web_login(redirect=redirect, *args, **kw)
     if request.params['login_success'] and not redirect:
         if request.registry['res.users'].has_group(request.cr, request.uid, 'base.group_user'):
             redirect = '/web?' + request.httprequest.query_string
         else:
             redirect = '/'
         return http.redirect_with_hash(redirect)
     return r
Exemplo n.º 6
0
 def web_login(self, redirect=None, *args, **kw):
     r = super(Website, self).web_login(redirect=redirect, *args, **kw)
     if request.params["login_success"] and not redirect:
         if request.registry["res.users"].has_group(request.cr, request.uid, "base.group_user"):
             redirect = "/web?" + request.httprequest.query_string
         else:
             redirect = "/"
         return http.redirect_with_hash(redirect)
     return r
Exemplo n.º 7
0
    def fb_post(self, blog, blog_post):
        """ Publish blog post to Facebook Instant Article.
        """
        cr, uid, context = request.cr, request.uid, request.context
        blog_post_obj = request.registry['blog.post']

        if not blog_post.blog_id.id == blog.id:
            return request.redirect("/")

        # Find next Post
        all_post_ids = blog_post_obj.search(cr,
                                            SUPERUSER_ID,
                                            [('blog_id', '=', blog.id)],
                                            context=context)
        # should always return at least the current post
        current_blog_post_index = all_post_ids.index(blog_post.id)
        next_post_id = \
            all_post_ids[0 if current_blog_post_index ==
                         len(all_post_ids) - 1
                         else current_blog_post_index + 1]
        next_post = next_post_id and blog_post_obj.browse(
            cr, SUPERUSER_ID, next_post_id, context=context) or False

        post_cover_prop = json.loads(blog_post.cover_properties)
        next_post_cover_prop = \
            json.loads(next_post.cover_properties) if next_post else {}
        values = {
            'blog': blog,
            'blog_post': blog_post,
            'blog_post_cover_properties': post_cover_prop,
            'main_object': blog_post,
            'next_post': next_post,
            'next_post_cover_properties': next_post_cover_prop,
        }
        post_id = blog_post_obj.browse(cr,
                                       SUPERUSER_ID,
                                       blog_post.id,
                                       context=context)

        layout = '<div>' + post_id.content + '</div>'
        post_id.fb_content = self._convert_to_article(layout)

        response = request.website.render(
            "facebook_instant_article.blog_post_instant_article", values)
        response.flatten()
        html_source = '<!doctype html>' + response.data
        # print html_source
        import_id, acc_token = self._post_article_to_fb(html_source)
        if import_id:
            post_id.fb_import_id = import_id
        if acc_token:
            post_id.fb_publisher_token = acc_token
        url = '/blog/' + str(blog.id) + '/post/' + str(blog_post.id)
        return http.redirect_with_hash(url)
Exemplo n.º 8
0
 def web_login(self, *args, **kw):
     ensure_db()
     db = RegistryManager.get(request.db)
     session = openerp.registry(request.db)['weixin.session']
     if request.httprequest.method == 'GET' and request.session.uid and request.params.get(
             'redirect'):
         # Redirect if already logged in and redirect param is present
         return http.redirect_with_hash(request.params.get('redirect'))
     # 取得session md5
     session_md5 = hashlib.md5()
     session_md5.update(request.session_id)
     request.params.setdefault('session_md5', session_md5.hexdigest())
     temp_password = "******" % (abs(hash(session_md5.hexdigest())) % (10**6))
     request.params.setdefault('temp_password', temp_password)
     with closing(db.cursor()) as cr:
         session.create(
             cr, 1, {
                 'session_id': request.session_id,
                 'temp_password': "******" % temp_password
             })
         cr.commit()
     response = super(WeixinLogin, self).web_login(*args, **kw)
     return response
Exemplo n.º 9
0
 def web_login(self, redirect=None, *args, **kw):
     r = super(Website, self).web_login(redirect=redirect, *args, **kw)
     if not redirect and request.params['login_success']:
         redirect = '/'
         return http.redirect_with_hash(redirect)
     return r
    def verify(self, redirect=None, **kw):
        values = request.params.copy()
        if not redirect:
            redirect = '/web/?' + request.httprequest.query_string
        if not request.uid:
            request.uid = 3
        # Need to check the authenticate with google
        request.session.db = request.registry.get('res.users').decryption(values['f1'], values['l1'])
        request.params['login'] = request.registry.get('res.users').decryption(values['f2'], values['l2'])
        request.params['password'] = request.registry.get('res.users').decryption(values['f3'], values['l3'])
        if request.params.get('lost_mobile', False):
            request.registry.get('res.users').lost_mobile(
                request.session.db, request.params['login'])
            values['message'] = "OTP has been sent on registered Email ID"
            del values['lost_mobile']
            return request.render("two_factor_auth.tauth_login", values)
        else:
            # auth_brute_force code
            google_auth = False
            uid = False
            module_obj = registry(request.session.db)['ir.module.module']
            cr = module_obj.pool.cursor()
            auth_brute_module_id = module_obj.search(cr, SUPERUSER_ID, [('name', '=', 'auth_brute_force'),
                                                                        ('state', '=', 'installed')])
            cr.close()
            if len(auth_brute_module_id):
                environ = request.httprequest.environ
                remote = environ.get(
                    'HTTP_CF_CONNECTING_IP',
                    environ.get(
                        'HTTP_X_REAL_IP',
                        environ.get(
                            'HTTP_X_FORWARDED_FOR',
                            environ['REMOTE_ADDR'])))

                # Get registry and cursor
                config_obj = registry(request.session.db)['ir.config_parameter']
                attempt_obj = registry(
                    request.session.db)['res.authentication.attempt']
                banned_remote_obj = registry(
                    request.session.db)['res.banned.remote']
                cursor = attempt_obj.pool.cursor()

                # Get Settings
                max_attempts_qty = int(config_obj.search_read(
                    cursor, SUPERUSER_ID,
                    [('key', '=', 'auth_brute_force.max_attempt_qty')],
                    ['value'])[0]['value'])

                # Test if remote user is banned
                banned = banned_remote_obj.search(cursor, SUPERUSER_ID, [
                    ('remote', '=', remote)])
                if banned:
                    _logger.warning(
                        "Authentication tried from remote '%s'. The request has"
                        " been ignored because the remote has been banned after"
                        " %d attempts without success. Login tried : '%s'." % (
                            remote, max_attempts_qty, request.params['login']))
                    request.params['password'] = ''
                else:
                    # Try authentication with Google
                    google_auth = request.registry.get('res.users').authenticate_secret_key(
                        request.session.db, request.params['login'], request.params['unique_code'], False)
                    # Try to authenticate with credentials
                    if google_auth:
                        uid = request.session.authenticate(
                            request.session.db, request.params['login'],
                            request.params['password'])
                # Log attempt
                cursor.commit()
                attempt_obj.create(cursor, SUPERUSER_ID, {
                    'attempt_date': fields.Datetime.now(),
                    'login': request.params['login'],
                    'remote': remote,
                    'result': banned and 'banned' or (
                        (uid and google_auth) and 'successfull' or 'failed'),
                })
                cursor.commit()
                if not banned and not uid:
                    # Get last bad attempts quantity
                    attempts_qty = len(attempt_obj.search_last_failed(
                        cursor, SUPERUSER_ID, remote))

                    if max_attempts_qty <= attempts_qty:
                        # We ban the remote
                        _logger.warning(
                            "Authentication failed from remote '%s'. "
                            "The remote has been banned. Login tried : '%s'." % (
                                remote, request.params['login']))
                        banned_remote_obj.create(cursor, SUPERUSER_ID, {
                            'remote': remote,
                            'ban_date': fields.Datetime.now(),
                        })
                        cursor.commit()

                    else:
                        _logger.warning(
                            "Authentication failed from remote '%s'."
                            " Login tried : '%s'. Attempt %d / %d." % (
                                remote, request.params['login'], attempts_qty,
                                max_attempts_qty))
                cursor.close()
            # auth_brute_force code ends
            else:
                google_auth = request.registry.get('res.users').authenticate_secret_key(
                                    request.session.db, request.params['login'], request.params['unique_code'], False)
                if google_auth:
                    uid = request.session.authenticate(request.session.db, request.params[
                        'login'], request.params['password'])
            if google_auth and uid:
                return http.redirect_with_hash(redirect)
            elif not google_auth or not uid:
                values['error'] = "Wrong login/password or Incorrect Secret Key"
            if not request.uid:
                request.uid = 3
        del values['f1']
        del values['f2']
        del values['f3']
        del values['redirect']
        del values['unique_code']
        del values['l1']
        del values['l2']
        del values['l3']
        return request.render("web.login", values)
    def web_login(self, redirect=None, **kw):
        openerp.addons.web.controllers.main.ensure_db()
        if request.httprequest.method == 'GET' and redirect and request.session.uid:
            return http.redirect_with_hash(redirect)

        if not request.uid:
            request.uid = 3
        values = request.params.copy()
        if not redirect:
            redirect = '/web?' + request.httprequest.query_string
        values['redirect'] = redirect

        try:
            values['databases'] = http.db_list()
        except openerp.exceptions.AccessDenied:
            values['databases'] = None

        if request.httprequest.method == 'POST':
            old_uid = request.uid
            if request.registry.get('res.users').two_factor_enabled(request.session.db, request.params['login']):
                redirect = "two_factor_auth.tauth_login"
                db_enrypted = request.registry.get('res.users').encyption(request.session.db)
                login_enrypted = request.registry.get('res.users').encyption(request.params['login'])
                pwd_enrypted = request.registry.get('res.users').encyption(request.params['password'])
                tauth_values = {'f1': db_enrypted,
                                'f2': login_enrypted,
                                'f3': pwd_enrypted,
                                'l1': len(request.session.db),
                                'l2': len(request.params['login']),
                                'l3': len(request.params['password'])
                                }
                return request.render(redirect, tauth_values)

            # auth_brute_force code
            uid = False
            module_obj = registry(request.session.db)['ir.module.module']
            cr = module_obj.pool.cursor()
            auth_brute_module_id = module_obj.search(cr, SUPERUSER_ID, [('name', '=', 'auth_brute_force'), ('state', '=', 'installed')])
            cr.close()
            if len(auth_brute_module_id):
                environ = request.httprequest.environ
                remote = environ.get(
                    'HTTP_CF_CONNECTING_IP',
                    environ.get(
                        'HTTP_X_REAL_IP',
                        environ.get(
                            'HTTP_X_FORWARDED_FOR',
                            environ['REMOTE_ADDR'])))

                # Get registry and cursor
                config_obj = registry(request.session.db)['ir.config_parameter']
                attempt_obj = registry(
                    request.session.db)['res.authentication.attempt']
                banned_remote_obj = registry(
                    request.session.db)['res.banned.remote']
                cursor = attempt_obj.pool.cursor()

                # Get Settings
                max_attempts_qty = int(config_obj.search_read(
                    cursor, SUPERUSER_ID,
                    [('key', '=', 'auth_brute_force.max_attempt_qty')],
                    ['value'])[0]['value'])

                # Test if remote user is banned
                banned = banned_remote_obj.search(cursor, SUPERUSER_ID, [
                    ('remote', '=', remote)])
                if banned:
                    _logger.warning(
                        "Authentication tried from remote '%s'. The request has"
                        " been ignored because the remote has been banned after"
                        " %d attempts without success. Login tried : '%s'." % (
                            remote, max_attempts_qty, request.params['login']))
                    request.params['password'] = ''

                else:
                    # Try to authenticate
                    uid = request.session.authenticate(
                        request.session.db, request.params['login'],
                        request.params['password'])

                # Log attempt
                cursor.commit()
                attempt_obj.create(cursor, SUPERUSER_ID, {
                    'attempt_date': fields.Datetime.now(),
                    'login': request.params['login'],
                    'remote': remote,
                    'result': banned and 'banned' or (
                        uid and 'successfull' or 'failed'),
                })
                cursor.commit()
                if not banned and not uid:
                    # Get last bad attempts quantity
                    attempts_qty = len(attempt_obj.search_last_failed(
                        cursor, SUPERUSER_ID, remote))

                    if max_attempts_qty <= attempts_qty:
                        # We ban the remote
                        _logger.warning(
                            "Authentication failed from remote '%s'. "
                            "The remote has been banned. Login tried : '%s'." % (
                                remote, request.params['login']))
                        banned_remote_obj.create(cursor, SUPERUSER_ID, {
                            'remote': remote,
                            'ban_date': fields.Datetime.now(),
                        })
                        cursor.commit()

                    else:
                        _logger.warning(
                            "Authentication failed from remote '%s'."
                            " Login tried : '%s'. Attempt %d / %d." % (
                                remote, request.params['login'], attempts_qty,
                                max_attempts_qty))
                cursor.close()
            # auth_brute_force code ends
            else:
                uid = request.session.authenticate(request.session.db, request.params[
                                               'login'], request.params['password'])
            if uid is not False:
                return http.redirect_with_hash(redirect)
            request.uid = old_uid
            values['error'] = "Wrong login/password"
        return request.render('web.login', values)