def web_login(self, redirect=None, **kw): ensure_db() if request.httprequest.method == 'GET' and redirect and request.session.uid: return http.redirect_with_hash(redirect) if not request.uid: request.uid = openerp.SUPERUSER_ID values = request.params.copy() if not redirect: redirect = '/web?' + request.httprequest.query_string values['redirect'] = redirect try: values['databases'] = http.db_list() except openerp.exceptions.AccessDenied: values['databases'] = None if request.httprequest.method == 'POST': old_uid = request.uid uid = request.session.authenticate(request.session.db, request.params['login'], request.params['password']) if uid is not False: return http.redirect_with_hash(redirect) request.uid = old_uid values['error'] = _("Please check your email address and password") if request.env.ref('web.login', False): return request.render('web.login', values) else: # probably not an odoo compatible database error = 'Unable to login on database %s' % request.session.db return werkzeug.utils.redirect('/web/database/selector?error=%s' % error, 303)
def disconnect(self, **kw): redirect_uri = kw.get('redirect_uri', False) user_id = request.env['res.users'].search([('id', '=', request.uid)], limit=1) if len(user_id) > 0: user_id.fb_long_term_token = '' return http.redirect_with_hash(redirect_uri)
def web_login(self, redirect=None, *args, **kw): r = super(Website, self).web_login(redirect=redirect, *args, **kw) if request.params['login_success'] and not redirect: if request.registry['res.users'].has_group(request.cr, request.uid, 'base.group_user'): redirect = '/web?' + request.httprequest.query_string else: redirect = '/' return http.redirect_with_hash(redirect) return r
def web_login(self, redirect=None, *args, **kw): r = super(Website, self).web_login(redirect=redirect, *args, **kw) if request.params["login_success"] and not redirect: if request.registry["res.users"].has_group(request.cr, request.uid, "base.group_user"): redirect = "/web?" + request.httprequest.query_string else: redirect = "/" return http.redirect_with_hash(redirect) return r
def fb_post(self, blog, blog_post): """ Publish blog post to Facebook Instant Article. """ cr, uid, context = request.cr, request.uid, request.context blog_post_obj = request.registry['blog.post'] if not blog_post.blog_id.id == blog.id: return request.redirect("/") # Find next Post all_post_ids = blog_post_obj.search(cr, SUPERUSER_ID, [('blog_id', '=', blog.id)], context=context) # should always return at least the current post current_blog_post_index = all_post_ids.index(blog_post.id) next_post_id = \ all_post_ids[0 if current_blog_post_index == len(all_post_ids) - 1 else current_blog_post_index + 1] next_post = next_post_id and blog_post_obj.browse( cr, SUPERUSER_ID, next_post_id, context=context) or False post_cover_prop = json.loads(blog_post.cover_properties) next_post_cover_prop = \ json.loads(next_post.cover_properties) if next_post else {} values = { 'blog': blog, 'blog_post': blog_post, 'blog_post_cover_properties': post_cover_prop, 'main_object': blog_post, 'next_post': next_post, 'next_post_cover_properties': next_post_cover_prop, } post_id = blog_post_obj.browse(cr, SUPERUSER_ID, blog_post.id, context=context) layout = '<div>' + post_id.content + '</div>' post_id.fb_content = self._convert_to_article(layout) response = request.website.render( "facebook_instant_article.blog_post_instant_article", values) response.flatten() html_source = '<!doctype html>' + response.data # print html_source import_id, acc_token = self._post_article_to_fb(html_source) if import_id: post_id.fb_import_id = import_id if acc_token: post_id.fb_publisher_token = acc_token url = '/blog/' + str(blog.id) + '/post/' + str(blog_post.id) return http.redirect_with_hash(url)
def web_login(self, *args, **kw): ensure_db() db = RegistryManager.get(request.db) session = openerp.registry(request.db)['weixin.session'] if request.httprequest.method == 'GET' and request.session.uid and request.params.get( 'redirect'): # Redirect if already logged in and redirect param is present return http.redirect_with_hash(request.params.get('redirect')) # 取得session md5 session_md5 = hashlib.md5() session_md5.update(request.session_id) request.params.setdefault('session_md5', session_md5.hexdigest()) temp_password = "******" % (abs(hash(session_md5.hexdigest())) % (10**6)) request.params.setdefault('temp_password', temp_password) with closing(db.cursor()) as cr: session.create( cr, 1, { 'session_id': request.session_id, 'temp_password': "******" % temp_password }) cr.commit() response = super(WeixinLogin, self).web_login(*args, **kw) return response
def web_login(self, redirect=None, *args, **kw): r = super(Website, self).web_login(redirect=redirect, *args, **kw) if not redirect and request.params['login_success']: redirect = '/' return http.redirect_with_hash(redirect) return r
def verify(self, redirect=None, **kw): values = request.params.copy() if not redirect: redirect = '/web/?' + request.httprequest.query_string if not request.uid: request.uid = 3 # Need to check the authenticate with google request.session.db = request.registry.get('res.users').decryption(values['f1'], values['l1']) request.params['login'] = request.registry.get('res.users').decryption(values['f2'], values['l2']) request.params['password'] = request.registry.get('res.users').decryption(values['f3'], values['l3']) if request.params.get('lost_mobile', False): request.registry.get('res.users').lost_mobile( request.session.db, request.params['login']) values['message'] = "OTP has been sent on registered Email ID" del values['lost_mobile'] return request.render("two_factor_auth.tauth_login", values) else: # auth_brute_force code google_auth = False uid = False module_obj = registry(request.session.db)['ir.module.module'] cr = module_obj.pool.cursor() auth_brute_module_id = module_obj.search(cr, SUPERUSER_ID, [('name', '=', 'auth_brute_force'), ('state', '=', 'installed')]) cr.close() if len(auth_brute_module_id): environ = request.httprequest.environ remote = environ.get( 'HTTP_CF_CONNECTING_IP', environ.get( 'HTTP_X_REAL_IP', environ.get( 'HTTP_X_FORWARDED_FOR', environ['REMOTE_ADDR']))) # Get registry and cursor config_obj = registry(request.session.db)['ir.config_parameter'] attempt_obj = registry( request.session.db)['res.authentication.attempt'] banned_remote_obj = registry( request.session.db)['res.banned.remote'] cursor = attempt_obj.pool.cursor() # Get Settings max_attempts_qty = int(config_obj.search_read( cursor, SUPERUSER_ID, [('key', '=', 'auth_brute_force.max_attempt_qty')], ['value'])[0]['value']) # Test if remote user is banned banned = banned_remote_obj.search(cursor, SUPERUSER_ID, [ ('remote', '=', remote)]) if banned: _logger.warning( "Authentication tried from remote '%s'. The request has" " been ignored because the remote has been banned after" " %d attempts without success. Login tried : '%s'." % ( remote, max_attempts_qty, request.params['login'])) request.params['password'] = '' else: # Try authentication with Google google_auth = request.registry.get('res.users').authenticate_secret_key( request.session.db, request.params['login'], request.params['unique_code'], False) # Try to authenticate with credentials if google_auth: uid = request.session.authenticate( request.session.db, request.params['login'], request.params['password']) # Log attempt cursor.commit() attempt_obj.create(cursor, SUPERUSER_ID, { 'attempt_date': fields.Datetime.now(), 'login': request.params['login'], 'remote': remote, 'result': banned and 'banned' or ( (uid and google_auth) and 'successfull' or 'failed'), }) cursor.commit() if not banned and not uid: # Get last bad attempts quantity attempts_qty = len(attempt_obj.search_last_failed( cursor, SUPERUSER_ID, remote)) if max_attempts_qty <= attempts_qty: # We ban the remote _logger.warning( "Authentication failed from remote '%s'. " "The remote has been banned. Login tried : '%s'." % ( remote, request.params['login'])) banned_remote_obj.create(cursor, SUPERUSER_ID, { 'remote': remote, 'ban_date': fields.Datetime.now(), }) cursor.commit() else: _logger.warning( "Authentication failed from remote '%s'." " Login tried : '%s'. Attempt %d / %d." % ( remote, request.params['login'], attempts_qty, max_attempts_qty)) cursor.close() # auth_brute_force code ends else: google_auth = request.registry.get('res.users').authenticate_secret_key( request.session.db, request.params['login'], request.params['unique_code'], False) if google_auth: uid = request.session.authenticate(request.session.db, request.params[ 'login'], request.params['password']) if google_auth and uid: return http.redirect_with_hash(redirect) elif not google_auth or not uid: values['error'] = "Wrong login/password or Incorrect Secret Key" if not request.uid: request.uid = 3 del values['f1'] del values['f2'] del values['f3'] del values['redirect'] del values['unique_code'] del values['l1'] del values['l2'] del values['l3'] return request.render("web.login", values)
def web_login(self, redirect=None, **kw): openerp.addons.web.controllers.main.ensure_db() if request.httprequest.method == 'GET' and redirect and request.session.uid: return http.redirect_with_hash(redirect) if not request.uid: request.uid = 3 values = request.params.copy() if not redirect: redirect = '/web?' + request.httprequest.query_string values['redirect'] = redirect try: values['databases'] = http.db_list() except openerp.exceptions.AccessDenied: values['databases'] = None if request.httprequest.method == 'POST': old_uid = request.uid if request.registry.get('res.users').two_factor_enabled(request.session.db, request.params['login']): redirect = "two_factor_auth.tauth_login" db_enrypted = request.registry.get('res.users').encyption(request.session.db) login_enrypted = request.registry.get('res.users').encyption(request.params['login']) pwd_enrypted = request.registry.get('res.users').encyption(request.params['password']) tauth_values = {'f1': db_enrypted, 'f2': login_enrypted, 'f3': pwd_enrypted, 'l1': len(request.session.db), 'l2': len(request.params['login']), 'l3': len(request.params['password']) } return request.render(redirect, tauth_values) # auth_brute_force code uid = False module_obj = registry(request.session.db)['ir.module.module'] cr = module_obj.pool.cursor() auth_brute_module_id = module_obj.search(cr, SUPERUSER_ID, [('name', '=', 'auth_brute_force'), ('state', '=', 'installed')]) cr.close() if len(auth_brute_module_id): environ = request.httprequest.environ remote = environ.get( 'HTTP_CF_CONNECTING_IP', environ.get( 'HTTP_X_REAL_IP', environ.get( 'HTTP_X_FORWARDED_FOR', environ['REMOTE_ADDR']))) # Get registry and cursor config_obj = registry(request.session.db)['ir.config_parameter'] attempt_obj = registry( request.session.db)['res.authentication.attempt'] banned_remote_obj = registry( request.session.db)['res.banned.remote'] cursor = attempt_obj.pool.cursor() # Get Settings max_attempts_qty = int(config_obj.search_read( cursor, SUPERUSER_ID, [('key', '=', 'auth_brute_force.max_attempt_qty')], ['value'])[0]['value']) # Test if remote user is banned banned = banned_remote_obj.search(cursor, SUPERUSER_ID, [ ('remote', '=', remote)]) if banned: _logger.warning( "Authentication tried from remote '%s'. The request has" " been ignored because the remote has been banned after" " %d attempts without success. Login tried : '%s'." % ( remote, max_attempts_qty, request.params['login'])) request.params['password'] = '' else: # Try to authenticate uid = request.session.authenticate( request.session.db, request.params['login'], request.params['password']) # Log attempt cursor.commit() attempt_obj.create(cursor, SUPERUSER_ID, { 'attempt_date': fields.Datetime.now(), 'login': request.params['login'], 'remote': remote, 'result': banned and 'banned' or ( uid and 'successfull' or 'failed'), }) cursor.commit() if not banned and not uid: # Get last bad attempts quantity attempts_qty = len(attempt_obj.search_last_failed( cursor, SUPERUSER_ID, remote)) if max_attempts_qty <= attempts_qty: # We ban the remote _logger.warning( "Authentication failed from remote '%s'. " "The remote has been banned. Login tried : '%s'." % ( remote, request.params['login'])) banned_remote_obj.create(cursor, SUPERUSER_ID, { 'remote': remote, 'ban_date': fields.Datetime.now(), }) cursor.commit() else: _logger.warning( "Authentication failed from remote '%s'." " Login tried : '%s'. Attempt %d / %d." % ( remote, request.params['login'], attempts_qty, max_attempts_qty)) cursor.close() # auth_brute_force code ends else: uid = request.session.authenticate(request.session.db, request.params[ 'login'], request.params['password']) if uid is not False: return http.redirect_with_hash(redirect) request.uid = old_uid values['error'] = "Wrong login/password" return request.render('web.login', values)