mirror of
https://github.com/bringout/oca-ocb-security.git
synced 2026-04-23 18:12:13 +02:00
19.0 vanilla
This commit is contained in:
Ernad Husremovic
parent
20ddc1b4a3
commit
c0efcc53f5
1162 changed files with 125577 additions and 105287 deletions
|
|
@ -7,8 +7,8 @@ import werkzeug.urls
|
|||
from collections import defaultdict
|
||||
from datetime import datetime, timedelta
|
||||
|
||||
from odoo import api, exceptions, fields, models, _
|
||||
from odoo.tools import sql
|
||||
from odoo import api, exceptions, fields, models, tools, _
|
||||
|
||||
class SignupError(Exception):
|
||||
pass
|
||||
|
||||
|
|
@ -24,42 +24,16 @@ def now(**kwargs):
|
|||
class ResPartner(models.Model):
|
||||
_inherit = 'res.partner'
|
||||
|
||||
signup_token = fields.Char(copy=False, groups="base.group_erp_manager", compute='_compute_token', inverse='_inverse_token')
|
||||
signup_type = fields.Char(string='Signup Token Type', copy=False, groups="base.group_erp_manager")
|
||||
signup_expiration = fields.Datetime(copy=False, groups="base.group_erp_manager")
|
||||
signup_valid = fields.Boolean(compute='_compute_signup_valid', string='Signup Token is Valid')
|
||||
signup_url = fields.Char(compute='_compute_signup_url', string='Signup URL')
|
||||
|
||||
def init(self):
|
||||
super().init()
|
||||
if not sql.column_exists(self.env.cr, self._table, "signup_token"):
|
||||
self.env.cr.execute("ALTER TABLE res_partner ADD COLUMN signup_token varchar")
|
||||
|
||||
@api.depends('signup_token', 'signup_expiration')
|
||||
def _compute_signup_valid(self):
|
||||
dt = now()
|
||||
for partner, partner_sudo in zip(self, self.sudo()):
|
||||
partner.signup_valid = bool(partner_sudo.signup_token) and \
|
||||
(not partner_sudo.signup_expiration or dt <= partner_sudo.signup_expiration)
|
||||
|
||||
def _compute_signup_url(self):
|
||||
""" proxy for function field towards actual implementation """
|
||||
def _get_signup_url(self):
|
||||
self.ensure_one()
|
||||
result = self.sudo()._get_signup_url_for_action()
|
||||
for partner in self:
|
||||
if any(u._is_internal() for u in partner.user_ids if u != self.env.user):
|
||||
self.env['res.users'].check_access_rights('write')
|
||||
if any(u.has_group('base.group_portal') for u in partner.user_ids if u != self.env.user):
|
||||
self.env['res.partner'].check_access_rights('write')
|
||||
partner.signup_url = result.get(partner.id, False)
|
||||
|
||||
def _compute_token(self):
|
||||
for partner in self.filtered('id'):
|
||||
self.env.cr.execute('SELECT signup_token FROM res_partner WHERE id=%s', (partner._origin.id,))
|
||||
partner.signup_token = self.env.cr.fetchone()[0]
|
||||
|
||||
def _inverse_token(self):
|
||||
for partner in self.filtered('id'):
|
||||
self.env.cr.execute('UPDATE res_partner SET signup_token = %s WHERE id=%s', (partner.signup_token or None, partner.id))
|
||||
if any(u._is_internal() for u in self.user_ids if u != self.env.user):
|
||||
self.env['res.users'].check_access('write')
|
||||
if any(u._is_portal() for u in self.user_ids if u != self.env.user):
|
||||
self.env['res.partner'].check_access('write')
|
||||
return result.get(self.id, False)
|
||||
|
||||
def _get_signup_url_for_action(self, url=None, action=None, view_type=None, menu_id=None, res_id=None, model=None):
|
||||
""" generate a signup url for the given partner ids and action, possibly overriding
|
||||
|
|
@ -82,18 +56,13 @@ class ResPartner(models.Model):
|
|||
if signup_type:
|
||||
route = 'reset_password' if signup_type == 'reset' else signup_type
|
||||
|
||||
if partner.sudo().signup_token and signup_type:
|
||||
query['token'] = partner.sudo().signup_token
|
||||
elif partner.user_ids:
|
||||
query['login'] = partner.user_ids[0].login
|
||||
else:
|
||||
continue # no signup token, no user, thus no signup url!
|
||||
query['token'] = partner.sudo()._generate_signup_token()
|
||||
|
||||
if url:
|
||||
query['redirect'] = url
|
||||
else:
|
||||
fragment = dict()
|
||||
base = '/web#'
|
||||
base = '/odoo/'
|
||||
if action == '/mail/view':
|
||||
base = '/mail/view?'
|
||||
elif action:
|
||||
|
|
@ -112,9 +81,8 @@ class ResPartner(models.Model):
|
|||
|
||||
signup_url = "/web/%s?%s" % (route, werkzeug.urls.url_encode(query))
|
||||
if not self.env.context.get('relative_url'):
|
||||
signup_url = werkzeug.urls.url_join(base_url, signup_url)
|
||||
signup_url = tools.urls.urljoin(base_url, signup_url)
|
||||
res[partner.id] = signup_url
|
||||
|
||||
return res
|
||||
|
||||
def action_signup_prepare(self):
|
||||
|
|
@ -134,64 +102,100 @@ class ResPartner(models.Model):
|
|||
partner = partner.sudo()
|
||||
if allow_signup and not partner.user_ids:
|
||||
partner.signup_prepare()
|
||||
res[partner.id]['auth_signup_token'] = partner.signup_token
|
||||
res[partner.id]['auth_signup_token'] = partner._generate_signup_token()
|
||||
elif partner.user_ids:
|
||||
res[partner.id]['auth_login'] = partner.user_ids[0].login
|
||||
return res
|
||||
|
||||
def signup_cancel(self):
|
||||
return self.write({'signup_token': False, 'signup_type': False, 'signup_expiration': False})
|
||||
return self.write({'signup_type': None})
|
||||
|
||||
def signup_prepare(self, signup_type="signup", expiration=False):
|
||||
""" generate a new token for the partners with the given validity, if necessary
|
||||
:param expiration: the expiration datetime of the token (string, optional)
|
||||
"""
|
||||
for partner in self:
|
||||
if expiration or not partner.signup_valid:
|
||||
token = random_token()
|
||||
while self._signup_retrieve_partner(token):
|
||||
token = random_token()
|
||||
partner.write({'signup_token': token, 'signup_type': signup_type, 'signup_expiration': expiration})
|
||||
def signup_prepare(self, signup_type="signup"):
|
||||
""" generate a new token for the partners with the given validity, if necessary """
|
||||
self.write({'signup_type': signup_type})
|
||||
return True
|
||||
|
||||
@api.model
|
||||
def _signup_retrieve_partner(self, token, check_validity=False, raise_exception=False):
|
||||
""" find the partner corresponding to a token, and possibly check its validity
|
||||
:param token: the token to resolve
|
||||
:param check_validity: if True, also check validity
|
||||
:param raise_exception: if True, raise exception instead of returning False
|
||||
:return: partner (browse record) or False (if raise_exception is False)
|
||||
|
||||
:param token: the token to resolve
|
||||
:param bool check_validity: if True, also check validity
|
||||
:param bool raise_exception: if True, raise exception instead of returning False
|
||||
:return: partner (browse record) or False (if raise_exception is False)
|
||||
"""
|
||||
self.env.cr.execute("SELECT id FROM res_partner WHERE signup_token = %s AND active", (token,))
|
||||
partner_id = self.env.cr.fetchone()
|
||||
partner = self.browse(partner_id[0]) if partner_id else None
|
||||
partner = self._get_partner_from_token(token)
|
||||
if not partner:
|
||||
if raise_exception:
|
||||
raise exceptions.UserError(_("Signup token '%s' is not valid", token))
|
||||
return False
|
||||
if check_validity and not partner.signup_valid:
|
||||
if raise_exception:
|
||||
raise exceptions.UserError(_("Signup token '%s' is no longer valid", token))
|
||||
return False
|
||||
raise exceptions.UserError(_("Signup token '%s' is not valid or expired", token))
|
||||
return partner
|
||||
|
||||
@api.model
|
||||
def signup_retrieve_info(self, token):
|
||||
def _signup_retrieve_info(self, token):
|
||||
""" retrieve the user info about the token
|
||||
:return: a dictionary with the user information:
|
||||
- 'db': the name of the database
|
||||
- 'token': the token, if token is valid
|
||||
- 'name': the name of the partner, if token is valid
|
||||
- 'login': the user login, if the user already exists
|
||||
- 'email': the partner email, if the user does not exist
|
||||
|
||||
:rtype: dict | None
|
||||
:return: a dictionary with the user information if the token is valid,
|
||||
None otherwise:
|
||||
|
||||
db
|
||||
the name of the database
|
||||
token
|
||||
the token, if token is valid
|
||||
name
|
||||
the name of the partner, if token is valid
|
||||
login
|
||||
the user login, if the user already exists
|
||||
email
|
||||
the partner email, if the user does not exist
|
||||
"""
|
||||
partner = self._signup_retrieve_partner(token, raise_exception=True)
|
||||
partner = self._get_partner_from_token(token)
|
||||
if not partner:
|
||||
return None
|
||||
res = {'db': self.env.cr.dbname}
|
||||
if partner.signup_valid:
|
||||
res['token'] = token
|
||||
res['name'] = partner.name
|
||||
res['token'] = token
|
||||
res['name'] = partner.name
|
||||
if partner.user_ids:
|
||||
res['login'] = partner.user_ids[0].login
|
||||
else:
|
||||
res['email'] = res['login'] = partner.email or ''
|
||||
return res
|
||||
|
||||
def _get_login_date(self):
|
||||
self.ensure_one()
|
||||
users_login_dates = self.user_ids.mapped('login_date')
|
||||
users_login_dates = list(filter(None, users_login_dates)) # remove falsy values
|
||||
if any(users_login_dates):
|
||||
return int(max(map(datetime.timestamp, users_login_dates)))
|
||||
return None
|
||||
|
||||
def _generate_signup_token(self, expiration=None):
|
||||
""" Generate the signup token for the partner in self.
|
||||
|
||||
Assume that :attr:`signup_type` is either ``'signup'`` or ``'reset'``.
|
||||
|
||||
:param expiration: the time in hours before the expiration of the token
|
||||
:return: the signed payload/token that can be used to reset the
|
||||
password/signup.
|
||||
|
||||
Since ``last_login_date`` is part of the payload, this token is
|
||||
invalidated as soon as the user logs in.
|
||||
"""
|
||||
self.ensure_one()
|
||||
if not expiration:
|
||||
if self.signup_type == 'reset':
|
||||
expiration = int(self.env['ir.config_parameter'].get_param("auth_signup.reset_password.validity.hours", 4))
|
||||
else:
|
||||
expiration = int(self.env['ir.config_parameter'].get_param("auth_signup.signup.validity.hours", 144))
|
||||
plist = [self.id, self.user_ids.ids, self._get_login_date(), self.signup_type]
|
||||
payload = tools.hash_sign(self.sudo().env, 'signup', plist, expiration_hours=expiration)
|
||||
return payload
|
||||
|
||||
@api.model
|
||||
def _get_partner_from_token(self, token):
|
||||
if payload := tools.verify_hash_signed(self.sudo().env, 'signup', token):
|
||||
partner_id, user_ids, login_date, signup_type = payload
|
||||
# login_date can be either an int or "None" as a string for signup
|
||||
partner = self.browse(partner_id)
|
||||
if login_date == partner._get_login_date() and partner.user_ids.ids == user_ids and signup_type == partner.browse(partner_id).signup_type:
|
||||
return partner
|
||||
return None
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue