def ensure_db(db='MAST', redirect='/except'): if not db: db = request.params.get('db') if db and db not in http.db_filter([db]): db = None if not db and request.session.db and http.db_filter([request.session.db]): db = request.session.db if not db: werkzeug.exceptions.abort(werkzeug.utils.redirect(redirect, 303)) request.session.db = db
def ensure_db(db='MAST',redirect='/except'): if not db: db = request.params.get('db') if db and db not in http.db_filter([db]): db = None if not db and request.session.db and http.db_filter([request.session.db]): db = request.session.db if not db: werkzeug.exceptions.abort(werkzeug.utils.redirect(redirect, 303)) request.session.db = db
def ensure_db(redirect='/web/database/selector'): # This helper should be used in web client auth="none" routes # if those routes needs a db to work with. # If the heuristics does not find any database, then the users will be # redirected to db selector or any url specified by `redirect` argument. # If the db is taken out of a query parameter, it will be checked against # `http.db_filter()` in order to ensure it's legit and thus avoid db # forgering that could lead to xss attacks. db = request.params.get('db') # Ensure db is legit if db and db not in http.db_filter([db]): db = None if db and not request.session.db: # User asked a specific database on a new session. # That mean the nodb router has been used to find the route # Depending on installed module in the database, the rendering of the page # may depend on data injected by the database route dispatcher. # Thus, we redirect the user to the same page but with the session cookie set. # This will force using the database route dispatcher... r = request.httprequest url_redirect = r.base_url if r.query_string: # Can't use werkzeug.wrappers.BaseRequest.url with encoded hashes: # https://github.com/amigrave/werkzeug/commit/b4a62433f2f7678c234cdcac6247a869f90a7eb7 url_redirect += '?' + r.query_string response = werkzeug.utils.redirect(url_redirect, 302) request.session.db = db abort_and_redirect(url_redirect) # if db not provided, use the session one if not db and request.session.db and http.db_filter([request.session.db]): db = request.session.db # if no database provided and no database in session, use monodb if not db: db = db_monodb(request.httprequest) # if no db can be found til here, send to the database selector # the database selector will redirect to database manager if needed if not db: werkzeug.exceptions.abort(werkzeug.utils.redirect(redirect, 303)) # always switch the session to the computed db if db != request.session.db: request.session.logout() abort_and_redirect(request.httprequest.url) request.session.db = db
def oea(self, **kw): """login user via Odoo Account provider""" dbname = kw.pop('db', None) if not dbname: dbname = db_monodb() if not dbname: return BadRequest() if not http.db_filter([dbname]): return BadRequest() registry = RegistryManager.get(dbname) with registry.cursor() as cr: IMD = registry['ir.model.data'] try: model, provider_id = IMD.get_object_reference( cr, SUPERUSER_ID, 'auth_oauth', 'provider_openerp') except ValueError: return set_cookie_and_redirect('/web?db=%s' % dbname) assert model == 'auth.oauth.provider' state = { 'd': dbname, 'p': provider_id, 'c': { 'no_user_creation': True }, } kw['state'] = json.dumps(state) return self.signin(**kw)
def signin(self, **kw): state = json.loads(kw['state']) dbname = state['d'] if not http.db_filter([dbname]): return BadRequest() provider = state['p'] context = state.get('c', {}) registry = RegistryManager.get(dbname) with registry.cursor() as cr: try: u = registry.get('res.users') credentials = u.auth_oauth(cr, SUPERUSER_ID, provider, kw, context=context) cr.commit() action = state.get('a') menu = state.get('m') redirect = werkzeug.url_unquote_plus( state['r']) if state.get('r') else False url = '/web' if redirect: url = redirect elif action: url = '/web#action=%s' % action elif menu: url = '/web#menu_id=%s' % menu resp = login_and_redirect(*credentials, redirect_url=url) #Since /web is hardcoded, verify user has right to land on it if urlparse.urlparse( resp.location).path == '/web' and not request.registry[ 'res.users'].has_group(request.cr, request.uid, 'base.group_user'): resp.location = '/' return resp except AttributeError: # auth_signup is not installed _logger.error( "auth_signup not installed on database %s: oauth sign up cancelled." % (dbname, )) url = "/web/login?oauth_error=1" except openerp.exceptions.AccessDenied: # oauth credentials not valid, user could be on a temporary session _logger.info( 'OAuth2: access denied, redirect to main page in case a valid session exists, without setting cookies' ) url = "/web/login?oauth_error=3" redirect = werkzeug.utils.redirect(url, 303) redirect.autocorrect_location_header = False return redirect except Exception, e: # signup error _logger.exception("OAuth2: %s" % str(e)) url = "/web/login?oauth_error=2"
def ensure_db(redirect=URLS['login']): """ Used by client when a :meth:`http.route()<openerp.http.route>` has authentication method parameter as "none" (``auth='none'``) and if the route is dependent on a database. If no database is found, it will redirect to URL assigned to ``redirect`` parameter. If database name is from a query parameter, it will be checked by :meth:`http.db_filter()<openerp.http.db_filter>` thus to avoid database forgery that could lead to xss attacks. :param redirect: URL to redirect to :type redirect: str :returns: ``None`` :rtype: NoneType """ db = request.params.get('db') # Ensure "legitness" of database if db and db not in http.db_filter([db]): db = None if db and not request.session.db: # User asked a specific database on a new session. # That mean the nodb router has been used to find the route # Depending on installed module in the database, # the rendering of the page # may depend on data injected by the database route dispatcher. # Thus, we redirect the user to the same page but # with the session cookie set. # This will force using the database route dispatcher... r = request.httprequest url_redirect = r.base_url if r.query_string: # Can't use werkzeug.wrappers.BaseRequest.url with encoded hashes: # https://github.com/amigrave/werkzeug/commit/ # b4a62433f2f7678c234cdcac6247a869f90a7eb7 url_redirect += '?' + r.query_string utils.redirect(url_redirect, 302) request.session.db = db abort_and_redirect(url_redirect) # if db not provided, use the session one if not db: db = request.session.db # if no database provided and no database in session, use monodb if not db: db = db_monodb(request.httprequest) # if no db can be found til here, send to the database selector # the database selector will redirect to database manager if needed if not db: exceptions.abort(utils.redirect(redirect, 303)) # always switch the session to the computed db if db != request.session.db: request.session.logout() abort_and_redirect(request.httprequest.url) request.session.db = db