def web_totp(self, redirect=None, **kwargs): if request.session.uid: return request.redirect(self._login_redirect(request.session.uid, redirect=redirect)) if not request.session.pre_uid: return request.redirect('/web/login') error = None user = request.env['res.users'].browse(request.session.pre_uid) if user and request.httprequest.method == 'GET': cookies = request.httprequest.cookies key = cookies.get(TRUSTED_DEVICE_COOKIE) if key: checked_credentials = request.env['auth_totp.device']._check_credentials(scope="browser", key=key) if checked_credentials == user.id: request.session.finalize(request.env) return request.redirect(self._login_redirect(request.session.uid, redirect=redirect)) elif user and request.httprequest.method == 'POST' and kwargs.get('totp_token'): try: with user._assert_can_auth(): user._totp_check(int(re.sub(r'\s', '', kwargs['totp_token']))) except AccessDenied as e: error = str(e) except ValueError: error = _("Invalid authentication code format.") else: request.session.finalize(request.env) request.update_env(user=request.session.uid) request.update_context(**request.session.context) response = request.redirect(self._login_redirect(request.session.uid, redirect=redirect)) if kwargs.get('remember'): name = _("%(browser)s on %(platform)s", browser=request.httprequest.user_agent.browser.capitalize(), platform=request.httprequest.user_agent.platform.capitalize(), ) geoip = request.geoip if geoip: name += " (%s, %s)" % (geoip['city'], geoip['country_name']) key = request.env['auth_totp.device']._generate("browser", name) response.set_cookie( key=TRUSTED_DEVICE_COOKIE, value=key, max_age=TRUSTED_DEVICE_AGE, httponly=True, samesite='Lax' ) # Crapy workaround for unupdatable Odoo Mobile App iOS (Thanks Apple :@) request.session.touch() return response # Crapy workaround for unupdatable Odoo Mobile App iOS (Thanks Apple :@) request.session.touch() return request.render('auth_totp.auth_totp_form', { 'user': user, 'error': error, 'redirect': redirect, })
def web_client(self, s_action=None, **kw): # Ensure we have both a database and a user ensure_db() if not request.session.uid: return request.redirect('/web/login', 303) if kw.get('redirect'): return request.redirect(kw.get('redirect'), 303) if not security.check_session(request.session, request.env): raise http.SessionExpiredException("Session expired") if not is_user_internal(request.session.uid): return request.redirect('/web/login_successful', 303) # Side-effect, refresh the session lifetime request.session.touch() # Restore the user on the environment, it was lost due to auth="none" request.update_env(user=request.session.uid) try: context = request.env['ir.http'].webclient_rendering_context() response = request.render('web.webclient_bootstrap', qcontext=context) response.headers['X-Frame-Options'] = 'DENY' return response except AccessError: return request.redirect('/web/login?error=access')
def _auth_method_public(cls): """ If no user logged, set the public user of current website, or default public user as request uid. """ if not request.session.uid: website = request.env( user=SUPERUSER_ID)['website'].get_current_website() # sudo if website: request.update_env(user=website._get_cached('user_id')) if not request.uid: super()._auth_method_public()
def _auth_method_outlook(cls): access_token = request.httprequest.headers.get('Authorization') if not access_token: raise BadRequest('Access token missing') if access_token.startswith('Bearer '): access_token = access_token[7:] user_id = request.env["res.users.apikeys"]._check_credentials( scope='odoo.plugin.outlook', key=access_token) if not user_id: raise BadRequest('Access token invalid') # take the identity of the API key user request.update_env(user=user_id)
def auth_access_token(self, auth_code, **kw): """ Called by the external app to exchange an auth code, which is temporary and was passed in a URL, for an access token, which is permanent, and can be used in the `Authorization` header to authorize subsequent requests old route name "/mail_client_extension/auth/access_token is deprecated as of saas-14.3,it is not needed for newer versions of the mail plugin but necessary for supporting older versions """ auth_message = self._get_auth_code_data(auth_code) if not auth_message: return {"error": "Invalid code"} request.update_env(user=auth_message['uid']) scope = 'odoo.plugin.' + auth_message.get('scope', '') api_key = request.env['res.users.apikeys']._generate( scope, auth_message['name']) return {'access_token': api_key}
def web_login(self, redirect=None, **kw): ensure_db() request.params['login_success'] = False if request.httprequest.method == 'GET' and redirect and request.session.uid: return request.redirect(redirect) # so it is correct if overloaded with auth="public" if not request.uid: request.update_env(user=odoo.SUPERUSER_ID) values = {k: v for k, v in request.params.items() if k in SIGN_UP_REQUEST_PARAMS} try: values['databases'] = http.db_list() except odoo.exceptions.AccessDenied: values['databases'] = None if request.httprequest.method == 'POST': try: uid = request.session.authenticate(request.db, request.params['login'], request.params['password']) request.params['login_success'] = True return request.redirect(self._login_redirect(uid, redirect=redirect)) except odoo.exceptions.AccessDenied as e: if e.args == odoo.exceptions.AccessDenied().args: values['error'] = _("Wrong login/password") else: values['error'] = e.args[0] else: if 'error' in request.params and request.params.get('error') == 'access': values['error'] = _('Only employees can access this database. Please contact the administrator.') if 'login' not in values and request.session.get('auth_login'): values['login'] = request.session.get('auth_login') if not odoo.tools.config['list_db']: values['disable_database_manager'] = True response = request.render('web.login', values) response.headers['X-Frame-Options'] = 'SAMEORIGIN' response.headers['Content-Security-Policy'] = "frame-ancestors 'self'" return response
def patched_auth_method_outlook(*args, **kwargs): request.update_env(user=request.env['res.users'].search( [('login', '=', login)], limit=1))
def _clean_context(self): # avoid allowed_company_ids which may erroneously restrict based on website context = dict(request.context) context.pop('allowed_company_ids', None) request.update_env(context=context)
def patched_auth_method_outlook(*args, **kwargs): request.update_env(user=self.user_test.id)
def _auth_method_public(cls): if request.env.uid is None: public_user = request.env.ref('base.public_user') request.update_env(user=public_user.id)