oca/oca-server-auth
2
0
Fork 0
mirror of https://github.com/bringout/oca-server-auth.git synced 2026-04-18 14:32:03 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
oca-server-auth/odoo-bringout-oca-server-auth-password_security/password_security/models/res_users.py
Ernad Husremovic 3ed80311c4 Initial commit: OCA Server Auth packages (29 packages)
2025-08-29 15:43:06 +02:00

198 lines
7 KiB
Python
Raw Blame History

# Copyright 2016 LasLabs Inc.
# Copyright 2017 Kaushal Prajapati <kbprajapati@live.com>.
# Copyright 2018 Modoolar <info@modoolar.com>.
# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).
import re
from datetime import datetime, timedelta
from odoo import _, api, fields, models
from odoo.exceptions import UserError, ValidationError
from odoo.tools import groupby
def delta_now(**kwargs):
return datetime.now() + timedelta(**kwargs)
class ResUsers(models.Model):
_inherit = "res.users"
password_write_date = fields.Datetime(
"Last password update", default=fields.Datetime.now, readonly=True, copy=False
)
password_history_ids = fields.One2many(
string="Password History",
comodel_name="res.users.pass.history",
inverse_name="user_id",
readonly=True,
)
def write(self, vals):
if vals.get("password"):
vals["password_write_date"] = fields.Datetime.now()
return super(ResUsers, self).write(vals)
@api.model
def get_password_policy(self):
data = super(ResUsers, self).get_password_policy()
company_id = self.env.user.company_id
data.update(
{
"password_lower": company_id.password_lower,
"password_upper": company_id.password_upper,
"password_numeric": company_id.password_numeric,
"password_special": company_id.password_special,
}
)
return data
def _check_password_policy(self, passwords):
result = super(ResUsers, self)._check_password_policy(passwords)
for password in passwords:
if not password:
continue
self._check_password(password)
return result
def password_match_message(self):
self.ensure_one()
company_id = self.company_id
message = []
if company_id.password_lower:
message.append(
_("\n* Lowercase letter (at least %s characters)")
% str(company_id.password_lower)
)
if company_id.password_upper:
message.append(
_("\n* Uppercase letter (at least %s characters)")
% str(company_id.password_upper)
)
if company_id.password_numeric:
message.append(
_("\n* Numeric digit (at least %s characters)")
% str(company_id.password_numeric)
)
if company_id.password_special:
message.append(
_("\n* Special character (at least %s characters)")
% str(company_id.password_special)
)
if message:
message = [_("Must contain the following:")] + message
params = self.env["ir.config_parameter"].sudo()
minlength = params.get_param("auth_password_policy.minlength", default=0)
if minlength:
message = [
_("Password must be %d characters or more.") % int(minlength)
] + message
return "\r".join(message)
def _check_password(self, password):
self._check_password_rules(password)
self._check_password_history(password)
return True
def _check_password_rules(self, password):
if not password:
return True
params = self.env["ir.config_parameter"].sudo()
minlength = params.get_param("auth_password_policy.minlength", default=0)
for company_id, users in groupby(self, lambda u: u.company_id):
password_regex = [
"^",
"(?=.*?[a-z]){" + str(company_id.password_lower) + ",}",
"(?=.*?[A-Z]){" + str(company_id.password_upper) + ",}",
"(?=.*?\\d){" + str(company_id.password_numeric) + ",}",
r"(?=.*?[\W_]){" + str(company_id.password_special) + ",}",
".{%d,}$" % int(minlength),
]
if not re.search("".join(password_regex), password):
raise ValidationError(users[0].password_match_message())
return True
def _password_has_expired(self):
self.ensure_one()
if not self.password_write_date:
return True
if not self.company_id.password_expiration:
return False
days = (fields.Datetime.now() - self.password_write_date).days
return days > self.company_id.password_expiration
def action_expire_password(self):
expiration = delta_now(days=+1)
for user in self:
user.mapped("partner_id").signup_prepare(
signup_type="reset", expiration=expiration
)
def _validate_pass_reset(self):
"""It provides validations before initiating a pass reset email
:raises: UserError on invalidated pass reset attempt
:return: True on allowed reset
"""
for user in self:
pass_min = user.company_id.password_minimum
if pass_min <= 0:
continue
write_date = user.password_write_date
if write_date and write_date + timedelta(hours=pass_min) > datetime.now():
raise UserError(
_(
"Passwords can only be reset every %d hour(s). "
"Please contact an administrator for assistance."
)
% pass_min
)
return True
def _check_password_history(self, password):
"""It validates proposed password against existing history
:raises: UserError on reused password
"""
crypt = self._crypt_context()
for user in self:
password_history = user.company_id.password_history
if not password_history: # disabled
recent_passes = self.env["res.users.pass.history"]
elif password_history < 0: # unlimited
recent_passes = user.password_history_ids
else:
recent_passes = user.password_history_ids[:password_history]
if recent_passes.filtered(
lambda r: crypt.verify(password, r.password_crypt)
):
raise UserError(
_("Cannot use the most recent %d passwords")
% user.company_id.password_history
)
def _set_encrypted_password(self, uid, pw):
"""It saves password crypt history for history rules"""
res = super(ResUsers, self)._set_encrypted_password(uid, pw)
self.env["res.users.pass.history"].create(
{
"user_id": uid,
"password_crypt": pw,
}
)
return res
def action_reset_password(self):
"""Disallow password resets inside of Minimum Hours"""
if not self.env.context.get("install_mode") and not self.env.context.get(
"create_user"
):
if not self.env.user._is_admin():
users = self.filtered(lambda user: user.active)
users._validate_pass_reset()
return super(ResUsers, self).action_reset_password()
Reference in a new issue View git blame Copy permalink