Initial commit: Security packages

2026-04-21 00:32:06 +02:00 · 2025-08-29 15:20:51 +02:00 · 2025-08-29 15:20:51 +02:00 · bb469e4763
commit bb469e4763
1399 changed files with 278378 additions and 0 deletions
--- a/odoo-bringout-oca-ocb-auth_ldap/auth_ldap/models/res_users.py
+++ b/odoo-bringout-oca-ocb-auth_ldap/auth_ldap/models/res_users.py
@ -0,0 +1,60 @@
+# -*- coding: utf-8 -*-
+# Part of Odoo. See LICENSE file for full copyright and licensing details.
+
+from odoo.exceptions import AccessDenied
+
+from odoo import api, models, registry, SUPERUSER_ID
+
+
+class Users(models.Model):
+    _inherit = "res.users"
+
+    @classmethod
+    def _login(cls, db, login, password, user_agent_env):
+        try:
+            return super(Users, cls)._login(db, login, password, user_agent_env=user_agent_env)
+        except AccessDenied as e:
+            with registry(db).cursor() as cr:
+                cr.execute("SELECT id FROM res_users WHERE lower(login)=%s", (login,))
+                res = cr.fetchone()
+                if res:
+                    raise e
+
+                env = api.Environment(cr, SUPERUSER_ID, {})
+                Ldap = env['res.company.ldap']
+                for conf in Ldap._get_ldap_dicts():
+                    entry = Ldap._authenticate(conf, login, password)
+                    if entry:
+                        return Ldap._get_or_create_user(conf, login, entry)
+                raise e
+
+    def _check_credentials(self, password, env):
+        try:
+            return super(Users, self)._check_credentials(password, env)
+        except AccessDenied:
+            passwd_allowed = env['interactive'] or not self.env.user._rpc_api_keys_only()
+            if passwd_allowed and self.env.user.active:
+                Ldap = self.env['res.company.ldap']
+                for conf in Ldap._get_ldap_dicts():
+                    if Ldap._authenticate(conf, self.env.user.login, password):
+                        return
+            raise
+
+    @api.model
+    def change_password(self, old_passwd, new_passwd):
+        if new_passwd:
+            Ldap = self.env['res.company.ldap']
+            for conf in Ldap._get_ldap_dicts():
+                changed = Ldap._change_password(conf, self.env.user.login, old_passwd, new_passwd)
+                if changed:
+                    self.env.user._set_empty_password()
+                    return True
+        return super(Users, self).change_password(old_passwd, new_passwd)
+
+    def _set_empty_password(self):
+        self.flush_recordset(['password'])
+        self.env.cr.execute(
+            'UPDATE res_users SET password=NULL WHERE id=%s',
+            (self.id,)
+        )
+        self.invalidate_recordset(['password'])