def user_id(self):
if not self.view_args:
return None
database_name = self.view_args.get('database_name')
if not database_name:
return None
auth = self.authorization
if not auth:
return None
context = {'_request': self.context}
if auth.type == 'session':
user_id = security.check(database_name,
auth.get('userid'),
auth.get('session'),
context=context)
else:
try:
user_id = security.login(database_name,
auth.username,
auth,
cache=False,
context=context)
except RateLimitException:
abort(HTTPStatus.TOO_MANY_REQUESTS)
return user_id
def get_userinfo(self, user, password, command=''):
path = urlparse.urlparse(self.path).path
dbname = urllib.unquote_plus(path.split('/', 2)[1])
database = backend.get('Database')().connect()
cursor = database.cursor()
databases = database.list(cursor)
cursor.close()
if not dbname or dbname not in databases:
return True
if user:
user = int(login(dbname, user, password, cache=False))
if not user:
return None
else:
url = urlparse.urlparse(self.path)
query = urlparse.parse_qs(url.query)
path = url.path[len(dbname) + 2:]
if 'key' in query:
key, = query['key']
with Transaction().start(dbname, 0) as transaction:
database_list = Pool.database_list()
pool = Pool(dbname)
if dbname not in database_list:
pool.init()
Share = pool.get('webdav.share')
user = Share.get_login(key, command, path)
transaction.cursor.commit()
if not user:
return None
Transaction().start(dbname, user, context={
'_check_access': True,
})
Cache.clean(dbname)
return user
def get_userinfo(self, user, password, command=''):
path = urlparse.urlparse(self.path).path
dbname = urllib.unquote_plus(path.split('/', 2)[1])
database = Database().connect()
cursor = database.cursor()
databases = database.list(cursor)
cursor.close()
if not dbname or dbname not in databases:
return True
if user:
user = int(login(dbname, user, password, cache=False))
if not user:
return None
else:
url = urlparse.urlparse(self.path)
query = urlparse.parse_qs(url.query)
path = url.path[len(dbname) + 2:]
if 'key' in query:
key, = query['key']
with Transaction().start(dbname, 0) as transaction:
database_list = Pool.database_list()
pool = Pool(dbname)
if not dbname in database_list:
pool.init()
Share = pool.get('webdav.share')
user = Share.get_login(key, command, path)
transaction.cursor.commit()
if not user:
return None
Transaction().start(dbname, user)
Cache.clean(dbname)
return user
def login(request, database_name, user, parameters, language=None):
Database = backend.get('Database')
DatabaseOperationalError = backend.get('DatabaseOperationalError')
try:
Database(database_name).connect()
except DatabaseOperationalError:
logger.error('fail to connect to %s', database_name, exc_info=True)
abort(404)
context = {
'language': language,
'_request': request.context,
}
try:
session = security.login(database_name,
user,
parameters,
context=context)
code = 403
except RateLimitException:
session = None
code = 429
msg = 'successful login' if session else 'bad login or password'
logger.info('%s \'%s\' from %s using %s on database \'%s\'', msg, user,
request.remote_addr, request.scheme, database_name)
if not session:
abort(code)
return session
def parse_request(self):
res = SimpleXMLRPCServer.SimpleXMLRPCRequestHandler.parse_request(self)
if not res:
return res
if 'content-length' not in self.headers:
self.headers['content-length'] = '0'
url = urlparse(self.path)
database_name = url.path.split('/')[1]
if not database_name:
self.tryton = {'user': None, 'session': None}
return res
try:
method, up64 = self.headers['Authorization'].split(None, 1)
if method.strip().lower() == 'basic':
user, password = base64.decodestring(up64).split(':', 1)
user_id, session = security.login(database_name, user,
password)
self.tryton = {'user': user_id, 'session': session}
return res
except Exception:
pass
auth_header = {'WWW-Authenticate': 'Basic realm="Tryton"'}
self.send_error(401, 'Unauthorized', headers=auth_header)
return False
def login(database):
"""
POST: Login and return user id and session
"""
result = security.login(database, request.form['login'],
request.form['password'])
if result:
return jsonify({
'id': result[0],
'session': result[1],
})
return 'Bad Username or Password', 403
def login(database):
"""
POST: Login and return user id and session
"""
result = security.login(
database, request.form['login'], request.form['password']
)
if result:
return jsonify({
'id': result[0],
'session': result[1],
})
return 'Bad Username or Password', 403
def user_id(self):
database_name = self.view_args.get('database_name')
if not database_name:
return None
auth = self.authorization
if not auth:
return None
if auth.type == 'session':
user_id = security.check(
database_name, auth.get('userid'), auth.get('session'),
context={'_request': self.context})
else:
user_id = security.login(
database_name, auth.username, auth, cache=False)
return user_id
def user_id(self):
database_name = self.view_args['database_name']
auth = self.authorization
if not auth:
abort(401)
if auth.type == 'session':
user_id = security.check(
database_name, auth.get('userid'), auth.get('session'))
if not user_id:
abort(403)
else:
user_id = security.login(
database_name, auth.username, auth.password, cache=False)
if not user_id:
abort(401)
return user_id
def login(request, database_name, user, password):
Database = backend.get('Database')
DatabaseOperationalError = backend.get('DatabaseOperationalError')
try:
Database(database_name).connect()
except DatabaseOperationalError:
logger.error('fail to connect to %s', database_name, exc_info=True)
return False
session = security.login(database_name, user, password)
with Transaction().start(database_name, 0):
Cache.clean(database_name)
Cache.resets(database_name)
msg = 'successful login' if session else 'bad login or password'
logger.info('%s \'%s\' from %s using %s on database \'%s\'',
msg, user, request.remote_addr, request.scheme, database_name)
return session
def login(request, database_name, user, password):
Database = backend.get('Database')
DatabaseOperationalError = backend.get('DatabaseOperationalError')
try:
Database(database_name).connect()
except DatabaseOperationalError:
logger.error('fail to connect to %s', database_name, exc_info=True)
return False
session = security.login(database_name, user, password)
with Transaction().start(database_name, 0):
Cache.clean(database_name)
Cache.resets(database_name)
msg = 'successful login' if session else 'bad login or password'
logger.info('%s \'%s\' from %s using %s on database \'%s\'',
msg, user, request.remote_addr, request.scheme, database_name)
return session
def parse_request(self):
res = SimpleXMLRPCServer.SimpleXMLRPCRequestHandler.parse_request(self)
if not res:
return res
database_name = self.path[1:]
if not database_name:
self.tryton = {"user": None, "session": None}
return res
try:
method, up64 = self.headers["Authorization"].split(None, 1)
if method.strip().lower() == "basic":
user, password = base64.decodestring(up64).split(":", 1)
user_id, session = security.login(database_name, user, password)
self.tryton = {"user": user_id, "session": session}
return res
except Exception:
pass
self.send_error(401, "Unauthorized")
self.send_header("WWW-Authenticate", 'Basic realm="Tryton"')
return False
def get_userinfo(self, user, password, command=''):
path = urllib.parse.urlparse(self.path).path
dbname = urllib.parse.unquote_plus(path.split('/', 2)[1])
with Transaction().start(dbname, 0, close=True) as transaction:
databases = transaction.database.list()
if not dbname or dbname not in databases:
return True
if user:
user = str(user)
parameters = {'password': password}
user = login(dbname, user, parameters, cache=False)
if not user:
return None
user = int(user)
else:
url = urllib.parse.urlparse(self.path)
query = urllib.parse.parse_qs(url.query)
path = url.path[len(dbname) + 2:]
if 'key' in query:
key, = query['key']
with Transaction().start(dbname, 0) as transaction:
database_list = Pool.database_list()
pool = Pool(dbname)
if dbname not in database_list:
pool.init()
Share = pool.get('webdav.share')
user = Share.get_login(key, command, path)
transaction.commit()
if not user:
return None
Transaction().start(dbname,
user,
context={
'_check_access': True,
},
autocommit=True)
Cache.clean(dbname)
return user
def parse_request(self):
res = SimpleXMLRPCServer.SimpleXMLRPCRequestHandler.parse_request(self)
if not res:
return res
database_name = self.path[1:]
if not database_name:
self.tryton = {'user': None, 'session': None}
return res
try:
method, up64 = self.headers['Authorization'].split(None, 1)
if method.strip().lower() == 'basic':
user, password = base64.decodestring(up64).split(':', 1)
user_id, session = security.login(database_name, user,
password)
self.tryton = {'user': user_id, 'session': session}
return res
except Exception:
pass
self.send_error(401, 'Unauthorized')
self.send_header("WWW-Authenticate", 'Basic realm="Tryton"')
return False
def login(request, database_name, user, parameters, language=None):
try:
backend.Database(database_name).connect()
except backend.DatabaseOperationalError:
logger.error('fail to connect to %s', database_name, exc_info=True)
abort(HTTPStatus.NOT_FOUND)
context = {
'language': language,
'_request': request.context,
}
try:
session = security.login(database_name,
user,
parameters,
context=context)
code = HTTPStatus.UNAUTHORIZED
except RateLimitException:
session = None
code = HTTPStatus.TOO_MANY_REQUESTS
if not session:
abort(code)
return session
def login(request, database_name, user, parameters, language=None):
Database = backend.get('Database')
DatabaseOperationalError = backend.get('DatabaseOperationalError')
try:
Database(database_name).connect()
except DatabaseOperationalError:
logger.error('fail to connect to %s', database_name, exc_info=True)
abort(404)
context = {
'language': language,
'_request': request.context,
}
try:
session = security.login(database_name,
user,
parameters,
context=context)
code = 403
except RateLimitException:
session = None
code = 429
if not session:
abort(code)
return session
def dispatch(host, port, protocol, database_name, user, session, object_type,
object_name, method, *args, **kwargs):
Database = backend.get('Database')
DatabaseOperationalError = backend.get('DatabaseOperationalError')
if object_type == 'common':
if method == 'login':
try:
database = Database(database_name).connect()
cursor = database.cursor()
cursor.close()
except Exception:
return False
res = security.login(database_name, user, session)
with Transaction().start(database_name, 0):
Cache.clean(database_name)
Cache.resets(database_name)
msg = res and 'successful login' or 'bad login or password'
logger.info('%s \'%s\' from %s:%d using %s on database \'%s\'',
msg, user, host, port, protocol, database_name)
return res or False
elif method == 'logout':
name = security.logout(database_name, user, session)
logger.info('logout \'%s\' from %s:%d '
'using %s on database \'%s\'',
name, host, port, protocol, database_name)
return True
elif method == 'version':
return __version__
elif method == 'list_lang':
return [
('bg_BG', 'Български'),
('ca_ES', 'Català'),
('cs_CZ', 'Čeština'),
('de_DE', 'Deutsch'),
('en_US', 'English'),
('es_AR', 'Español (Argentina)'),
('es_EC', 'Español (Ecuador)'),
('es_ES', 'Español (España)'),
('es_CO', 'Español (Colombia)'),
('es_MX', 'Español (México)'),
('fr_FR', 'Français'),
('hu_HU', 'Magyar'),
('it_IT', 'Italiano'),
('lt_LT', 'Lietuvių'),
('nl_NL', 'Nederlands'),
('pt_BR', 'Português (Brasil)'),
('ru_RU', 'Russian'),
('sl_SI', 'Slovenščina'),
]
elif method == 'db_exist':
try:
database = Database(*args, **kwargs).connect()
cursor = database.cursor()
cursor.close(close=True)
return True
except Exception:
return False
elif method == 'list':
if not config.getboolean('database', 'list'):
raise Exception('AccessDenied')
with Transaction().start(None, 0, close=True) as transaction:
return transaction.database.list(transaction.cursor)
elif method == 'create':
return create(*args, **kwargs)
elif method == 'restore':
return restore(*args, **kwargs)
elif method == 'drop':
return drop(*args, **kwargs)
elif method == 'dump':
return dump(*args, **kwargs)
return
elif object_type == 'system':
database = Database(database_name).connect()
database_list = Pool.database_list()
pool = Pool(database_name)
if database_name not in database_list:
pool.init()
if method == 'listMethods':
res = []
for type in ('model', 'wizard', 'report'):
for object_name, obj in pool.iterobject(type=type):
for method in obj.__rpc__:
res.append(type + '.' + object_name + '.' + method)
return res
elif method == 'methodSignature':
return 'signatures not supported'
elif method == 'methodHelp':
res = []
args_list = args[0].split('.')
object_type = args_list[0]
object_name = '.'.join(args_list[1:-1])
method = args_list[-1]
obj = pool.get(object_name, type=object_type)
return pydoc.getdoc(getattr(obj, method))
for count in range(config.getint('database', 'retry'), -1, -1):
try:
user = security.check(database_name, user, session)
except DatabaseOperationalError:
if count:
continue
raise
break
database_list = Pool.database_list()
pool = Pool(database_name)
if database_name not in database_list:
with Transaction().start(database_name, user,
readonly=True) as transaction:
pool.init()
obj = pool.get(object_name, type=object_type)
if method in obj.__rpc__:
rpc = obj.__rpc__[method]
else:
raise UserError('Calling method %s on %s %s is not allowed!'
% (method, object_type, object_name))
log_message = '%s.%s.%s(*%s, **%s) from %s@%s:%d/%s'
log_args = (object_type, object_name, method, args, kwargs,
user, host, port, database_name)
logger.info(log_message, *log_args)
for count in range(config.getint('database', 'retry'), -1, -1):
with Transaction().start(database_name, user,
readonly=rpc.readonly) as transaction:
Cache.clean(database_name)
try:
c_args, c_kwargs, transaction.context, transaction.timestamp \
= rpc.convert(obj, *args, **kwargs)
meth = getattr(obj, method)
if (rpc.instantiate is None
or not is_instance_method(obj, method)):
result = rpc.result(meth(*c_args, **c_kwargs))
else:
assert rpc.instantiate == 0
inst = c_args.pop(0)
if hasattr(inst, method):
result = rpc.result(meth(inst, *c_args, **c_kwargs))
else:
result = [rpc.result(meth(i, *c_args, **c_kwargs))
for i in inst]
if not rpc.readonly:
transaction.cursor.commit()
except DatabaseOperationalError:
transaction.cursor.rollback()
if count and not rpc.readonly:
continue
raise
except (NotLogged, ConcurrencyException, UserError, UserWarning):
logger.debug(log_message, *log_args, exc_info=True)
transaction.cursor.rollback()
raise
except Exception:
logger.error(log_message, *log_args, exc_info=True)
transaction.cursor.rollback()
raise
Cache.resets(database_name)
with Transaction().start(database_name, 0) as transaction:
pool = Pool(database_name)
Session = pool.get('ir.session')
try:
Session.reset(session)
except DatabaseOperationalError:
logger.debug('Reset session failed', exc_info=True)
# Silently fail when reseting session
transaction.cursor.rollback()
else:
transaction.cursor.commit()
logger.debug('Result: %s', result)
return result
def get_auth_header():
result = security.login(DB_NAME, 'admin', 'admin')
return 'Basic ' + base64.b64encode('%s:%s' % result)
def get_auth_header():
result = security.login(DB_NAME, 'admin', 'admin')
return 'Basic ' + base64.b64encode('%s:%s' % result)
def dispatch(host, port, protocol, database_name, user, session, object_type,
object_name, method, *args, **kwargs):
Database = backend.get('Database')
DatabaseOperationalError = backend.get('DatabaseOperationalError')
if object_type == 'common':
if method == 'login':
try:
database = Database(database_name).connect()
cursor = database.cursor()
cursor.close()
except Exception:
return False
res = security.login(database_name, user, session)
with Transaction().start(database_name, 0):
Cache.clean(database_name)
Cache.resets(database_name)
msg = res and 'successful login' or 'bad login or password'
logger.info('%s \'%s\' from %s:%d using %s on database \'%s\'',
msg, user, host, port, protocol, database_name)
return res or False
elif method == 'logout':
name = security.logout(database_name, user, session)
logger.info('logout \'%s\' from %s:%d '
'using %s on database \'%s\'',
name, host, port, protocol, database_name)
return True
elif method == 'version':
return __version__
elif method == 'list_lang':
return [
('bg_BG', 'Български'),
('ca_ES', 'Català'),
('cs_CZ', 'Čeština'),
('de_DE', 'Deutsch'),
('en_US', 'English'),
('es_AR', 'Español (Argentina)'),
('es_EC', 'Español (Ecuador)'),
('es_ES', 'Español (España)'),
('es_CO', 'Español (Colombia)'),
('fr_FR', 'Français'),
('lt_LT', 'Lietuvių'),
('nl_NL', 'Nederlands'),
('ru_RU', 'Russian'),
('sl_SI', 'Slovenščina'),
]
elif method == 'db_exist':
try:
database = Database(*args, **kwargs).connect()
cursor = database.cursor()
cursor.close(close=True)
return True
except Exception:
return False
elif method == 'list':
if not config.getboolean('database', 'list'):
raise Exception('AccessDenied')
with Transaction().start(None, 0, close=True) as transaction:
return transaction.database.list(transaction.cursor)
elif method == 'create':
return create(*args, **kwargs)
elif method == 'restore':
return restore(*args, **kwargs)
elif method == 'drop':
return drop(*args, **kwargs)
elif method == 'dump':
return dump(*args, **kwargs)
return
elif object_type == 'system':
database = Database(database_name).connect()
database_list = Pool.database_list()
pool = Pool(database_name)
if database_name not in database_list:
pool.init()
if method == 'listMethods':
res = []
for type in ('model', 'wizard', 'report'):
for object_name, obj in pool.iterobject(type=type):
for method in obj.__rpc__:
res.append(type + '.' + object_name + '.' + method)
return res
elif method == 'methodSignature':
return 'signatures not supported'
elif method == 'methodHelp':
res = []
args_list = args[0].split('.')
object_type = args_list[0]
object_name = '.'.join(args_list[1:-1])
method = args_list[-1]
obj = pool.get(object_name, type=object_type)
return pydoc.getdoc(getattr(obj, method))
for count in range(config.getint('database', 'retry'), -1, -1):
try:
user = security.check(database_name, user, session)
except DatabaseOperationalError:
if count:
continue
raise
break
database_list = Pool.database_list()
pool = Pool(database_name)
if database_name not in database_list:
with Transaction().start(database_name, user,
readonly=True) as transaction:
pool.init()
obj = pool.get(object_name, type=object_type)
if method in obj.__rpc__:
rpc = obj.__rpc__[method]
else:
raise UserError('Calling method %s on %s %s is not allowed!'
% (method, object_type, object_name))
log_message = '%s.%s.%s(*%s, **%s) from %s@%s:%d/%s'
log_args = (object_type, object_name, method, args, kwargs,
user, host, port, database_name)
logger.info(log_message, *log_args)
for count in range(config.getint('database', 'retry'), -1, -1):
with Transaction().start(database_name, user,
readonly=rpc.readonly) as transaction:
Cache.clean(database_name)
try:
c_args, c_kwargs, transaction.context, transaction.timestamp \
= rpc.convert(obj, *args, **kwargs)
meth = getattr(obj, method)
if (rpc.instantiate is None
or not is_instance_method(obj, method)):
result = rpc.result(meth(*c_args, **c_kwargs))
else:
assert rpc.instantiate == 0
inst = c_args.pop(0)
if hasattr(inst, method):
result = rpc.result(meth(inst, *c_args, **c_kwargs))
else:
result = [rpc.result(meth(i, *c_args, **c_kwargs))
for i in inst]
if not rpc.readonly:
transaction.cursor.commit()
except DatabaseOperationalError:
transaction.cursor.rollback()
if count and not rpc.readonly:
continue
raise
except (NotLogged, ConcurrencyException, UserError, UserWarning):
logger.debug(log_message, *log_args, exc_info=True)
transaction.cursor.rollback()
raise
except Exception:
logger.error(log_message, *log_args, exc_info=True)
transaction.cursor.rollback()
raise
Cache.resets(database_name)
with Transaction().start(database_name, 0) as transaction:
pool = Pool(database_name)
Session = pool.get('ir.session')
try:
Session.reset(session)
except DatabaseOperationalError:
logger.debug('Reset session failed', exc_info=True)
# Silently fail when reseting session
transaction.cursor.rollback()
else:
transaction.cursor.commit()
logger.debug('Result: %s', result)
return result
def dispatch(host, port, protocol, database_name, user, session, object_type,
object_name, method, *args, **kargs):
if object_type == 'common':
if method == 'login':
try:
database = Database(database_name).connect()
cursor = database.cursor()
cursor.close()
except Exception:
return False
res = security.login(database_name, user, session)
Cache.clean(database_name)
logger = logging.getLogger('dispatcher')
msg = res and 'successful login' or 'bad login or password'
logger.info('%s \'%s\' from %s:%d using %s on database \'%s\'' % \
(msg, user, host, port, protocol, database_name))
Cache.resets(database_name)
return res or False
elif method == 'logout':
name = security.logout(database_name, user, session)
logger = logging.getLogger('dispatcher')
logger.info('logout \'%s\' from %s:%d ' \
'using %s on database \'%s\'' %
(name, host, port, protocol, database_name))
return True
elif method == 'version':
return VERSION
elif method == 'timezone_get':
return CONFIG['timezone']
elif method == 'list_lang':
return [
('bg_BG', 'Български'),
('ca_ES', 'Català'),
('cs_CZ', 'Čeština'),
('de_DE', 'Deutsch'),
('en_US', 'English'),
('es_AR', 'Español (Argentina)'),
('es_ES', 'Español (España)'),
('es_CO', 'Español (Colombia)'),
('fr_FR', 'Français'),
('nl_NL', 'Nederlands'),
('ru_RU', 'Russian'),
]
elif method == 'db_exist':
try:
database = Database(*args, **kargs).connect()
cursor = database.cursor()
cursor.close(close=True)
return True
except Exception:
return False
elif method == 'list':
if CONFIG['prevent_dblist']:
raise Exception('AccessDenied')
database = Database().connect()
try:
cursor = database.cursor()
try:
res = database.list(cursor)
finally:
cursor.close(close=True)
except Exception:
res = []
return res
elif method == 'create':
return create(*args, **kargs)
elif method == 'restore':
return restore(*args, **kargs)
elif method == 'drop':
return drop(*args, **kargs)
elif method == 'dump':
return dump(*args, **kargs)
return
elif object_type == 'system':
database = Database(database_name).connect()
database_list = Pool.database_list()
pool = Pool(database_name)
if not database_name in database_list:
pool.init()
if method == 'listMethods':
res = []
for type in ('model', 'wizard', 'report'):
for object_name, obj in pool.iterobject(type=type):
for method in obj._rpc:
res.append(type + '.' + object_name + '.' + method)
return res
elif method == 'methodSignature':
return 'signatures not supported'
elif method == 'methodHelp':
res = []
args_list = args[0].split('.')
object_type = args_list[0]
object_name = '.'.join(args_list[1:-1])
method = args_list[-1]
obj = pool.get(object_name, type=object_type)
return pydoc.getdoc(getattr(obj, method))
user = security.check(database_name, user, session)
Cache.clean(database_name)
database_list = Pool.database_list()
pool = Pool(database_name)
if not database_name in database_list:
with Transaction().start(database_name, user,
readonly=True) as transaction:
pool.init()
obj = pool.get(object_name, type=object_type)
if method in obj._rpc:
readonly = not obj._rpc[method]
elif method in getattr(obj, '_buttons', {}):
readonly = False
else:
raise UserError('Calling method %s on %s %s is not allowed!'
% (method, object_type, object_name))
for count in range(int(CONFIG['retry']), -1, -1):
with Transaction().start(database_name, user,
readonly=readonly) as transaction:
try:
args_without_context = list(args)
if 'context' in kargs:
context = kargs.pop('context')
else:
context = args_without_context.pop()
if '_timestamp' in context:
transaction.timestamp = context['_timestamp']
del context['_timestamp']
transaction.context = context
res = getattr(obj, method)(*args_without_context, **kargs)
if not readonly:
transaction.cursor.commit()
except DatabaseOperationalError, exception:
transaction.cursor.rollback()
if count and not readonly:
continue
raise
except Exception, exception:
if CONFIG['verbose'] and not isinstance(exception, (
NotLogged, ConcurrencyException, UserError,
UserWarning)):
tb_s = ''.join(traceback.format_exception(*sys.exc_info()))
logger = logging.getLogger('dispatcher')
logger.error('Exception calling method %s on '
'%s %s from %s@%s:%d/%s:\n'
% (method, object_type, object_name, user, host, port,
database_name) + tb_s)
transaction.cursor.rollback()
raise
