Initial commit: OCA Server Auth packages (29 packages)

2026-04-18 17:12:09 +02:00 · 2025-08-29 15:43:06 +02:00 · 2025-08-29 15:43:06 +02:00 · 3ed80311c4
commit 3ed80311c4
1325 changed files with 127292 additions and 0 deletions
--- a/odoo-bringout-oca-server-auth-password_security/password_security/controllers/init.py
+++ b/odoo-bringout-oca-server-auth-password_security/password_security/controllers/init.py
@ -0,0 +1,4 @@
+# Copyright 2015 LasLabs Inc.
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).
+
+from . import main
--- a/odoo-bringout-oca-server-auth-password_security/password_security/controllers/main.py
+++ b/odoo-bringout-oca-server-auth-password_security/password_security/controllers/main.py
@ -0,0 +1,67 @@
+# Copyright 2015 LasLabs Inc.
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).
+
+import logging
+
+from werkzeug.exceptions import BadRequest
+
+from odoo import http
+from odoo.http import request
+
+from odoo.addons.auth_signup.controllers.main import AuthSignupHome
+from odoo.addons.web.controllers.home import ensure_db
+
+_logger = logging.getLogger(__name__)
+
+
+class PasswordSecurityHome(AuthSignupHome):
+    def do_signup(self, qcontext):
+        password = qcontext.get("password")
+        # If 2FA is activated, request.env.user is not updated to the logged-in user
+        # at this point. In order to do _check_password on the correct user we
+        # search by login.
+        user = (
+            request.env.user.search([("login", "=", qcontext.get("login"))])
+            or request.env.user
+        )
+        user._check_password(password)
+        return super(PasswordSecurityHome, self).do_signup(qcontext)
+
+    @http.route()
+    def web_login(self, *args, **kw):
+        ensure_db()
+        response = super(PasswordSecurityHome, self).web_login(*args, **kw)
+        if not request.params.get("login_success"):
+            return response
+        if not request.env.user:
+            return response
+        # Now, I'm an authenticated user
+        if not request.env.user._password_has_expired():
+            return response
+        # My password is expired, kick me out
+        request.env.user.action_expire_password()
+        request.session.logout(keep_db=True)
+        # I was kicked out, so set login_success in request params to False
+        request.params["login_success"] = False
+        redirect = request.env.user.partner_id.signup_url
+        return request.redirect(redirect)
+
+    @http.route()
+    def web_auth_signup(self, *args, **kw):
+        """Try to catch all the possible exceptions not already handled in the parent method"""
+
+        try:
+            qcontext = self.get_auth_signup_qcontext()
+        except Exception:
+            raise BadRequest from None  # HTTPError: 400 Client Error: BAD REQUEST
+
+        try:
+            return super(PasswordSecurityHome, self).web_auth_signup(*args, **kw)
+        except Exception as e:
+            # Here we catch any generic exception since UserError is already
+            # handled in parent method web_auth_signup()
+            qcontext["error"] = str(e)
+            response = request.render("auth_signup.signup", qcontext)
+            response.headers["X-Frame-Options"] = "SAMEORIGIN"
+            response.headers["Content-Security-Policy"] = "frame-ancestors 'self'"
+            return response