Initial commit: Security packages

2026-04-23 00:12:09 +02:00 · 2025-08-29 15:20:51 +02:00 · 2025-08-29 15:20:51 +02:00 · bb469e4763
commit bb469e4763
1399 changed files with 278378 additions and 0 deletions
--- a/odoo-bringout-oca-ocb-auth_signup/auth_signup/tests/init.py
+++ b/odoo-bringout-oca-ocb-auth_signup/auth_signup/tests/init.py
@ -0,0 +1,6 @@
+# -*- coding: utf-8 -*-
+# Part of Odoo. See LICENSE file for full copyright and licensing details.
+
+from . import test_login
+from . import test_reset_password
+from . import test_auth_signup
--- a/odoo-bringout-oca-ocb-auth_signup/auth_signup/tests/test_auth_signup.py
+++ b/odoo-bringout-oca-ocb-auth_signup/auth_signup/tests/test_auth_signup.py
@ -0,0 +1,66 @@
+# -*- coding: utf-8 -*-
+# Part of Odoo. See LICENSE file for full copyright and licensing details.
+
+from unittest.mock import patch
+
+import odoo
+from odoo import http
+from odoo.addons.base.tests.common import HttpCaseWithUserPortal, HttpCaseWithUserDemo
+from odoo.exceptions import AccessError
+
+
+class TestAuthSignupFlow(HttpCaseWithUserPortal, HttpCaseWithUserDemo):
+
+    def setUp(self):
+        super(TestAuthSignupFlow, self).setUp()
+        res_config = self.env['res.config.settings']
+        self.default_values = res_config.default_get(list(res_config.fields_get()))
+
+    def _activate_free_signup(self):
+        self.default_values.update({'auth_signup_uninvited': 'b2c'})
+
+    def _get_free_signup_url(self):
+        return '/web/signup'
+
+    def test_confirmation_mail_free_signup(self):
+        """
+        Check if a new user is informed by email when he is registered
+        """
+
+        # Activate free signup
+        self._activate_free_signup()
+
+        # Get csrf_token
+        self.authenticate(None, None)
+        csrf_token = http.Request.csrf_token(self)
+
+        # Values from login form
+        name = 'toto'
+        payload = {
+            'login': 'toto@example.com',
+            'name': name,
+            'password': 'mypassword',
+            'confirm_password': 'mypassword',
+            'csrf_token': csrf_token,
+        }
+
+        # Override unlink to not delete the email if the send works.
+        with patch.object(odoo.addons.mail.models.mail_mail.MailMail, 'unlink', lambda self: None):
+            # Call the controller
+            url_free_signup = self._get_free_signup_url()
+            self.url_open(url_free_signup, data=payload)
+            # Check if an email is sent to the new userw
+            new_user = self.env['res.users'].search([('name', '=', name)])
+            self.assertTrue(new_user)
+            mail = self.env['mail.message'].search([('message_type', '=', 'email'), ('model', '=', 'res.users'), ('res_id', '=', new_user.id)], limit=1)
+            self.assertTrue(mail, "The new user must be informed of his registration")
+
+    def test_compute_signup_url(self):
+        user = self.user_demo
+        user.groups_id -= self.env.ref('base.group_partner_manager')
+
+        partner = self.partner_portal
+        partner.signup_prepare()
+
+        with self.assertRaises(AccessError):
+            partner.with_user(user.id).signup_url
--- a/odoo-bringout-oca-ocb-auth_signup/auth_signup/tests/test_login.py
+++ b/odoo-bringout-oca-ocb-auth_signup/auth_signup/tests/test_login.py
@ -0,0 +1,2 @@
+# rerun TestWebLogin tests with auth_signup installed
+from odoo.addons.web.tests.test_login import TestWebLogin  # pylint: disable=W0611
--- a/odoo-bringout-oca-ocb-auth_signup/auth_signup/tests/test_reset_password.py
+++ b/odoo-bringout-oca-ocb-auth_signup/auth_signup/tests/test_reset_password.py
@ -0,0 +1,27 @@
+# -*- coding: utf-8 -*-
+# Part of Odoo. See LICENSE file for full copyright and licensing details.
+from odoo.tests.common import HttpCase
+from werkzeug.urls import url_parse
+
+
+class TestResetPassword(HttpCase):
+
+    def test_reset_password(self):
+        """
+            Test that first signup link and password reset link are different to accomodate for the different behaviour
+            on first signup if a password is already set user is redirected to login page when accessing that link again
+            'signup_email' is used in the web controller (web_auth_reset_password) to detect this behaviour
+        """
+        test_user = self.env['res.users'].create({
+            'login': 'test',
+            'name': 'The King',
+            'email': 'noop@example.com',
+        })
+
+        self.assertEqual(test_user.email, url_parse(test_user.with_context(create_user=True).signup_url).decode_query()["signup_email"], "query must contain 'signup_email'")
+
+        # Invalidate signup_url to skip signup process
+        self.env.invalidate_all()
+        test_user.action_reset_password()
+
+        self.assertNotIn("signup_email", url_parse(test_user.signup_url).decode_query(), "query should not contain 'signup_email'")