# -*- coding: utf-8 -*-
# Part of Odoo. See LICENSE file for full copyright and licensing details.
import binascii
import contextlib
import datetime
import hmac
import ipaddress
import itertools
import json
import logging
import os
import time
from collections import defaultdict
from functools import wraps
from hashlib import sha256
from itertools import chain, repeat
from markupsafe import Markup
import babel.core
import pytz
from lxml import etree
from lxml.builder import E
from passlib.context import CryptContext
from psycopg2 import sql
from odoo import api, fields, models, tools, SUPERUSER_ID, _, Command
from odoo.addons.base.models.ir_model import MODULE_UNINSTALL_FLAG
from odoo.exceptions import AccessDenied, AccessError, UserError, ValidationError
from odoo.http import request, DEFAULT_LANG
from odoo.osv import expression
from odoo.service.db import check_super
from odoo.tools import is_html_empty, partition, collections, frozendict, lazy_property
_logger = logging.getLogger(__name__)
# Only users who can modify the user (incl. the user herself) see the real contents of these fields
USER_PRIVATE_FIELDS = []
MIN_ROUNDS = 350000
concat = chain.from_iterable
#
# Functions for manipulating boolean and selection pseudo-fields
#
def name_boolean_group(id):
return 'in_group_' + str(id)
def name_selection_groups(ids):
return 'sel_groups_' + '_'.join(str(it) for it in sorted(ids))
def is_boolean_group(name):
return name.startswith('in_group_')
def is_selection_groups(name):
return name.startswith('sel_groups_')
def is_reified_group(name):
return is_boolean_group(name) or is_selection_groups(name)
def get_boolean_group(name):
return int(name[9:])
def get_selection_groups(name):
return [int(v) for v in name[11:].split('_')]
def parse_m2m(commands):
"return a list of ids corresponding to a many2many value"
ids = []
for command in commands:
if isinstance(command, (tuple, list)):
if command[0] in (Command.UPDATE, Command.LINK):
ids.append(command[1])
elif command[0] == Command.CLEAR:
ids = []
elif command[0] == Command.SET:
ids = list(command[2])
else:
ids.append(command)
return ids
def _jsonable(o):
try: json.dumps(o)
except TypeError: return False
else: return True
def check_identity(fn):
""" Wrapped method should be an *action method* (called from a button
type=object), and requires extra security to be executed. This decorator
checks if the identity (password) has been checked in the last 10mn, and
pops up an identity check wizard if not.
Prevents access outside of interactive contexts (aka with a request)
"""
@wraps(fn)
def wrapped(self):
if not request:
raise UserError(_("This method can only be accessed over HTTP"))
if request.session.get('identity-check-last', 0) > time.time() - 10 * 60:
# update identity-check-last like github?
return fn(self)
w = self.sudo().env['res.users.identitycheck'].create({
'request': json.dumps([
{ # strip non-jsonable keys (e.g. mapped to recordsets like binary_field_real_user)
k: v for k, v in self.env.context.items()
if _jsonable(v)
},
self._name,
self.ids,
fn.__name__
])
})
return {
'type': 'ir.actions.act_window',
'res_model': 'res.users.identitycheck',
'res_id': w.id,
'name': _("Security Control"),
'target': 'new',
'views': [(False, 'form')],
}
wrapped.__has_check_identity = True
return wrapped
#----------------------------------------------------------
# Basic res.groups and res.users
#----------------------------------------------------------
class Groups(models.Model):
_name = "res.groups"
_description = "Access Groups"
_rec_name = 'full_name'
_order = 'name'
name = fields.Char(required=True, translate=True)
users = fields.Many2many('res.users', 'res_groups_users_rel', 'gid', 'uid')
model_access = fields.One2many('ir.model.access', 'group_id', string='Access Controls', copy=True)
rule_groups = fields.Many2many('ir.rule', 'rule_group_rel',
'group_id', 'rule_group_id', string='Rules', domain="[('global', '=', False)]")
menu_access = fields.Many2many('ir.ui.menu', 'ir_ui_menu_group_rel', 'gid', 'menu_id', string='Access Menu')
view_access = fields.Many2many('ir.ui.view', 'ir_ui_view_group_rel', 'group_id', 'view_id', string='Views')
comment = fields.Text(translate=True)
category_id = fields.Many2one('ir.module.category', string='Application', index=True)
color = fields.Integer(string='Color Index')
full_name = fields.Char(compute='_compute_full_name', string='Group Name', search='_search_full_name')
share = fields.Boolean(string='Share Group', help="Group created to set access rights for sharing data with some users.")
_sql_constraints = [
('name_uniq', 'unique (category_id, name)', 'The name of the group must be unique within an application!')
]
@api.constrains('users')
def _check_one_user_type(self):
self.users._check_one_user_type()
@api.ondelete(at_uninstall=False)
def _unlink_except_settings_group(self):
classified = self.env['res.config.settings']._get_classified_fields()
for _name, _groups, implied_group in classified['group']:
if implied_group.id in self.ids:
raise ValidationError(_('You cannot delete a group linked with a settings field.'))
@api.depends('category_id.name', 'name')
def _compute_full_name(self):
# Important: value must be stored in environment of group, not group1!
for group, group1 in zip(self, self.sudo()):
if group1.category_id:
group.full_name = '%s / %s' % (group1.category_id.name, group1.name)
else:
group.full_name = group1.name
def _search_full_name(self, operator, operand):
lst = True
if isinstance(operand, bool):
return [[('name', operator, operand)]]
if isinstance(operand, str):
lst = False
operand = [operand]
where = []
for group in operand:
values = [v for v in group.split('/') if v]
group_name = values.pop().strip()
category_name = values and '/'.join(values).strip() or group_name
group_domain = [('name', operator, lst and [group_name] or group_name)]
category_ids = self.env['ir.module.category'].sudo()._search(
[('name', operator, [category_name] if lst else category_name)])
category_domain = [('category_id', 'in', category_ids)]
if operator in expression.NEGATIVE_TERM_OPERATORS and not values:
category_domain = expression.OR([category_domain, [('category_id', '=', False)]])
if (operator in expression.NEGATIVE_TERM_OPERATORS) == (not values):
sub_where = expression.AND([group_domain, category_domain])
else:
sub_where = expression.OR([group_domain, category_domain])
if operator in expression.NEGATIVE_TERM_OPERATORS:
where = expression.AND([where, sub_where])
else:
where = expression.OR([where, sub_where])
return where
@api.model
def _search(self, args, offset=0, limit=None, order=None, count=False, access_rights_uid=None):
# add explicit ordering if search is sorted on full_name
if order and order.startswith('full_name'):
groups = super(Groups, self).search(args)
groups = groups.sorted('full_name', reverse=order.endswith('DESC'))
groups = groups[offset:offset+limit] if limit else groups[offset:]
return len(groups) if count else groups.ids
return super(Groups, self)._search(args, offset=offset, limit=limit, order=order, count=count, access_rights_uid=access_rights_uid)
def copy(self, default=None):
self.ensure_one()
chosen_name = default.get('name') if default else ''
default_name = chosen_name or _('%s (copy)', self.name)
default = dict(default or {}, name=default_name)
return super(Groups, self).copy(default)
def write(self, vals):
if 'name' in vals:
if vals['name'].startswith('-'):
raise UserError(_('The name of the group can not start with "-"'))
# invalidate caches before updating groups, since the recomputation of
# field 'share' depends on method has_group()
# DLE P139
if self.ids:
self.env['ir.model.access'].call_cache_clearing_methods()
return super(Groups, self).write(vals)
def _ensure_xml_id(self):
"""Return the groups external identifiers, creating the external identifier for groups missing one"""
result = self.get_external_id()
missings = {group_id: f'__custom__.group_{group_id}' for group_id, ext_id in result.items() if not ext_id}
if missings:
self.env['ir.model.data'].create(
[
{
'name': name.split('.')[1],
'model': 'res.groups',
'res_id': group_id,
'module': name.split('.')[0],
}
for group_id, name in missings.items()
]
)
result.update(missings)
return result
class ResUsersLog(models.Model):
_name = 'res.users.log'
_order = 'id desc'
_description = 'Users Log'
# Currenly only uses the magical fields: create_uid, create_date,
# for recording logins. To be extended for other uses (chat presence, etc.)
@api.autovacuum
def _gc_user_logs(self):
self._cr.execute("""
DELETE FROM res_users_log log1 WHERE EXISTS (
SELECT 1 FROM res_users_log log2
WHERE log1.create_uid = log2.create_uid
AND log1.create_date < log2.create_date
)
""")
_logger.info("GC'd %d user log entries", self._cr.rowcount)
class Users(models.Model):
""" User class. A res.users record models an OpenERP user and is different
from an employee.
res.users class now inherits from res.partner. The partner model is
used to store the data related to the partner: lang, name, address,
avatar, ... The user model is now dedicated to technical data.
"""
_name = "res.users"
_description = 'User'
_inherits = {'res.partner': 'partner_id'}
_order = 'name, login'
@property
def SELF_READABLE_FIELDS(self):
""" The list of fields a user can read on their own user record.
In order to add fields, please override this property on model extensions.
"""
return [
'signature', 'company_id', 'login', 'email', 'name', 'image_1920',
'image_1024', 'image_512', 'image_256', 'image_128', 'lang', 'tz',
'tz_offset', 'groups_id', 'partner_id', '__last_update', 'action_id',
'avatar_1920', 'avatar_1024', 'avatar_512', 'avatar_256', 'avatar_128',
'share',
]
@property
def SELF_WRITEABLE_FIELDS(self):
""" The list of fields a user can write on their own user record.
In order to add fields, please override this property on model extensions.
"""
return ['signature', 'action_id', 'company_id', 'email', 'name', 'image_1920', 'lang', 'tz']
def _default_groups(self):
default_user_id = self.env['ir.model.data']._xmlid_to_res_id('base.default_user', raise_if_not_found=False)
return self.env['res.users'].browse(default_user_id).sudo().groups_id if default_user_id else []
partner_id = fields.Many2one('res.partner', required=True, ondelete='restrict', auto_join=True, index=True,
string='Related Partner', help='Partner-related data of the user')
login = fields.Char(required=True, help="Used to log into the system")
password = fields.Char(
compute='_compute_password', inverse='_set_password',
invisible=True, copy=False,
help="Keep empty if you don't want the user to be able to connect on the system.")
new_password = fields.Char(string='Set Password',
compute='_compute_password', inverse='_set_new_password',
help="Specify a value only when creating a user or if you're "\
"changing the user's password, otherwise leave empty. After "\
"a change of password, the user has to login again.")
signature = fields.Html(string="Email Signature", compute='_compute_signature', readonly=False, store=True)
active = fields.Boolean(default=True)
active_partner = fields.Boolean(related='partner_id.active', readonly=True, string="Partner is Active")
action_id = fields.Many2one('ir.actions.actions', string='Home Action',
help="If specified, this action will be opened at log on for this user, in addition to the standard menu.")
groups_id = fields.Many2many('res.groups', 'res_groups_users_rel', 'uid', 'gid', string='Groups', default=_default_groups)
log_ids = fields.One2many('res.users.log', 'create_uid', string='User log entries')
login_date = fields.Datetime(related='log_ids.create_date', string='Latest authentication', readonly=False)
share = fields.Boolean(compute='_compute_share', compute_sudo=True, string='Share User', store=True,
help="External user with limited access, created only for the purpose of sharing data.")
companies_count = fields.Integer(compute='_compute_companies_count', string="Number of Companies")
tz_offset = fields.Char(compute='_compute_tz_offset', string='Timezone offset', invisible=True)
# Special behavior for this field: res.company.search() will only return the companies
# available to the current user (should be the user's companies?), when the user_preference
# context is set.
company_id = fields.Many2one('res.company', string='Company', required=True, default=lambda self: self.env.company.id,
help='The default company for this user.', context={'user_preference': True})
company_ids = fields.Many2many('res.company', 'res_company_users_rel', 'user_id', 'cid',
string='Companies', default=lambda self: self.env.company.ids)
# overridden inherited fields to bypass access rights, in case you have
# access to the user but not its corresponding partner
name = fields.Char(related='partner_id.name', inherited=True, readonly=False)
email = fields.Char(related='partner_id.email', inherited=True, readonly=False)
accesses_count = fields.Integer('# Access Rights', help='Number of access rights that apply to the current user',
compute='_compute_accesses_count', compute_sudo=True)
rules_count = fields.Integer('# Record Rules', help='Number of record rules that apply to the current user',
compute='_compute_accesses_count', compute_sudo=True)
groups_count = fields.Integer('# Groups', help='Number of groups that apply to the current user',
compute='_compute_accesses_count', compute_sudo=True)
_sql_constraints = [
('login_key', 'UNIQUE (login)', 'You can not have two users with the same login !')
]
def init(self):
cr = self.env.cr
# allow setting plaintext passwords via SQL and have them
# automatically encrypted at startup: look for passwords which don't
# match the "extended" MCF and pass those through passlib.
# Alternative: iterate on *all* passwords and use CryptContext.identify
cr.execute("""
SELECT id, password FROM res_users
WHERE password IS NOT NULL
AND password !~ '^\$[^$]+\$[^$]+\$.'
""")
if self.env.cr.rowcount:
Users = self.sudo()
for uid, pw in cr.fetchall():
Users.browse(uid).password = pw
def _set_password(self):
ctx = self._crypt_context()
for user in self:
self._set_encrypted_password(user.id, ctx.hash(user.password))
def _set_encrypted_password(self, uid, pw):
assert self._crypt_context().identify(pw) != 'plaintext'
self.env.cr.execute(
'UPDATE res_users SET password=%s WHERE id=%s',
(pw, uid)
)
self.browse(uid).invalidate_recordset(['password'])
def _check_credentials(self, password, env):
""" Validates the current user's password.
Override this method to plug additional authentication methods.
Overrides should:
* call `super` to delegate to parents for credentials-checking
* catch AccessDenied and perform their own checking
* (re)raise AccessDenied if the credentials are still invalid
according to their own validation method
When trying to check for credentials validity, call _check_credentials
instead.
"""
""" Override this method to plug additional authentication methods"""
assert password
self.env.cr.execute(
"SELECT COALESCE(password, '') FROM res_users WHERE id=%s",
[self.env.user.id]
)
[hashed] = self.env.cr.fetchone()
valid, replacement = self._crypt_context()\
.verify_and_update(password, hashed)
if replacement is not None:
self._set_encrypted_password(self.env.user.id, replacement)
if not valid:
raise AccessDenied()
def _compute_password(self):
for user in self:
user.password = ''
user.new_password = ''
def _set_new_password(self):
for user in self:
if not user.new_password:
# Do not update the password if no value is provided, ignore silently.
# For example web client submits False values for all empty fields.
continue
if user == self.env.user:
# To change their own password, users must use the client-specific change password wizard,
# so that the new password is immediately used for further RPC requests, otherwise the user
# will face unexpected 'Access Denied' exceptions.
raise UserError(_('Please use the change password wizard (in User Preferences or User menu) to change your own password.'))
else:
user.password = user.new_password
@api.depends('name')
def _compute_signature(self):
for user in self.filtered(lambda user: user.name and is_html_empty(user.signature)):
user.signature = Markup('
--
%s
') % user['name']
@api.depends('groups_id')
def _compute_share(self):
user_group_id = self.env['ir.model.data']._xmlid_to_res_id('base.group_user')
internal_users = self.filtered_domain([('groups_id', 'in', [user_group_id])])
internal_users.share = False
(self - internal_users).share = True
@api.depends('company_id')
def _compute_companies_count(self):
self.companies_count = self.env['res.company'].sudo().search_count([])
@api.depends('tz')
def _compute_tz_offset(self):
for user in self:
user.tz_offset = datetime.datetime.now(pytz.timezone(user.tz or 'GMT')).strftime('%z')
@api.depends('groups_id')
def _compute_accesses_count(self):
for user in self:
groups = user.groups_id
user.accesses_count = len(groups.model_access)
user.rules_count = len(groups.rule_groups)
user.groups_count = len(groups)
@api.onchange('login')
def on_change_login(self):
if self.login and tools.single_email_re.match(self.login):
self.email = self.login
@api.onchange('parent_id')
def onchange_parent_id(self):
return self.partner_id.onchange_parent_id()
def _read(self, fields):
super(Users, self)._read(fields)
if set(USER_PRIVATE_FIELDS).intersection(fields):
if self.check_access_rights('write', raise_exception=False):
return
for record in self:
for f in USER_PRIVATE_FIELDS:
try:
record._cache[f]
record._cache[f] = '********'
except Exception:
# skip SpecialValue (e.g. for missing record or access right)
pass
@api.constrains('company_id', 'company_ids', 'active')
def _check_company(self):
for user in self.filtered(lambda u: u.active):
if user.company_id not in user.company_ids:
raise ValidationError(
_('Company %(company_name)s is not in the allowed companies for user %(user_name)s (%(company_allowed)s).',
company_name=user.company_id.name,
user_name=user.name,
company_allowed=', '.join(user.mapped('company_ids.name')))
)
@api.constrains('action_id')
def _check_action_id(self):
action_open_website = self.env.ref('base.action_open_website', raise_if_not_found=False)
if action_open_website and any(user.action_id.id == action_open_website.id for user in self):
raise ValidationError(_('The "App Switcher" action cannot be selected as home action.'))
# Prevent using reload actions.
# We use sudo() because "Access rights" admins can't read action models
for user in self.sudo():
if user.action_id.type == "ir.actions.client":
action = self.env["ir.actions.client"].browse(user.action_id.id) # magic
if action.tag == "reload":
raise ValidationError(_('The "%s" action cannot be selected as home action.', action.name))
@api.constrains('groups_id')
def _check_one_user_type(self):
"""We check that no users are both portal and users (same with public).
This could typically happen because of implied groups.
"""
user_types_category = self.env.ref('base.module_category_user_type', raise_if_not_found=False)
user_types_groups = self.env['res.groups'].search(
[('category_id', '=', user_types_category.id)]) if user_types_category else False
if user_types_groups: # needed at install
if self._has_multiple_groups(user_types_groups.ids):
raise ValidationError(_('The user cannot have more than one user types.'))
def _has_multiple_groups(self, group_ids):
"""The method is not fast if the list of ids is very long;
so we rather check all users than limit to the size of the group
:param group_ids: list of group ids
:return: boolean: is there at least a user in at least 2 of the provided groups
"""
if group_ids:
args = [tuple(group_ids)]
if len(self.ids) == 1:
where_clause = "AND r.uid = %s"
args.append(self.id)
else:
where_clause = "" # default; we check ALL users (actually pretty efficient)
query = """
SELECT 1 FROM res_groups_users_rel WHERE EXISTS(
SELECT r.uid
FROM res_groups_users_rel r
WHERE r.gid IN %s""" + where_clause + """
GROUP BY r.uid HAVING COUNT(r.gid) > 1
)
"""
self.env.cr.execute(query, args)
return bool(self.env.cr.fetchall())
else:
return False
def toggle_active(self):
for user in self:
if not user.active and not user.partner_id.active:
user.partner_id.toggle_active()
super(Users, self).toggle_active()
def read(self, fields=None, load='_classic_read'):
if fields and self == self.env.user:
readable = self.SELF_READABLE_FIELDS
for key in fields:
if not (key in readable or key.startswith('context_')):
break
else:
# safe fields only, so we read as super-user to bypass access rights
self = self.sudo()
return super(Users, self).read(fields=fields, load=load)
@api.model
def read_group(self, domain, fields, groupby, offset=0, limit=None, orderby=False, lazy=True):
groupby_fields = set([groupby] if isinstance(groupby, str) else groupby)
if groupby_fields.intersection(USER_PRIVATE_FIELDS):
raise AccessError(_("Invalid 'group by' parameter"))
return super(Users, self).read_group(domain, fields, groupby, offset=offset, limit=limit, orderby=orderby, lazy=lazy)
@api.model
def _search(self, args, offset=0, limit=None, order=None, count=False, access_rights_uid=None):
if not self.env.su and args:
domain_fields = {term[0] for term in args if isinstance(term, (tuple, list))}
if domain_fields.intersection(USER_PRIVATE_FIELDS):
raise AccessError(_('Invalid search criterion'))
return super(Users, self)._search(args, offset=offset, limit=limit, order=order, count=count,
access_rights_uid=access_rights_uid)
@api.model_create_multi
def create(self, vals_list):
users = super(Users, self).create(vals_list)
for user in users:
# if partner is global we keep it that way
if user.partner_id.company_id:
user.partner_id.company_id = user.company_id
user.partner_id.active = user.active
return users
def write(self, values):
if values.get('active') and SUPERUSER_ID in self._ids:
raise UserError(_("You cannot activate the superuser."))
if values.get('active') == False and self._uid in self._ids:
raise UserError(_("You cannot deactivate the user you're currently logged in as."))
if values.get('active'):
for user in self:
if not user.active and not user.partner_id.active:
user.partner_id.toggle_active()
if self == self.env.user:
writeable = self.SELF_WRITEABLE_FIELDS
for key in list(values):
if not (key in writeable or key.startswith('context_')):
break
else:
if 'company_id' in values:
if values['company_id'] not in self.env.user.company_ids.ids:
del values['company_id']
# safe fields only, so we write as super-user to bypass access rights
self = self.sudo().with_context(binary_field_real_user=self.env.user)
if 'groups_id' in values:
default_user = self.env.ref('base.default_user', raise_if_not_found=False)
if default_user and default_user in self:
old_groups = default_user.groups_id
res = super(Users, self).write(values)
if 'groups_id' in values and default_user and default_user in self:
# Sync added groups on default user template to existing users
added_groups = default_user.groups_id - old_groups
if added_groups:
internal_users = self.env.ref('base.group_user').users - default_user
internal_users.write({'groups_id': [Command.link(gid) for gid in added_groups.ids]})
if 'company_id' in values:
for user in self:
# if partner is global we keep it that way
if user.partner_id.company_id and user.partner_id.company_id.id != values['company_id']:
user.partner_id.write({'company_id': user.company_id.id})
if 'company_id' in values or 'company_ids' in values:
# Reset lazy properties `company` & `companies` on all envs
# This is unlikely in a business code to change the company of a user and then do business stuff
# but in case it happens this is handled.
# e.g. `account_test_savepoint.py` `setup_company_data`, triggered by `test_account_invoice_report.py`
for env in list(self.env.transaction.envs):
if env.user in self:
lazy_property.reset_all(env)
# clear caches linked to the users
if self.ids and 'groups_id' in values:
# DLE P139: Calling invalidate_cache on a new, well you lost everything as you wont be able to take it back from the cache
# `test_00_equipment_multicompany_user`
self.env['ir.model.access'].call_cache_clearing_methods()
# per-method / per-model caches have been removed so the various
# clear_cache/clear_caches methods pretty much just end up calling
# Registry._clear_cache
invalidation_fields = self._get_invalidation_fields()
if (invalidation_fields & values.keys()) or any(key.startswith('context_') for key in values):
self.clear_caches()
return res
@api.ondelete(at_uninstall=True)
def _unlink_except_master_data(self):
portal_user_template = self.env.ref('base.template_portal_user_id', False)
default_user_template = self.env.ref('base.default_user', False)
if SUPERUSER_ID in self.ids:
raise UserError(_('You can not remove the admin user as it is used internally for resources created by Odoo (updates, module installation, ...)'))
self.clear_caches()
if (portal_user_template and portal_user_template in self) or (default_user_template and default_user_template in self):
raise UserError(_('Deleting the template users is not allowed. Deleting this profile will compromise critical functionalities.'))
@api.model
def _name_search(self, name, args=None, operator='ilike', limit=100, name_get_uid=None):
args = args or []
user_ids = []
if operator not in expression.NEGATIVE_TERM_OPERATORS:
if operator == 'ilike' and not (name or '').strip():
domain = []
else:
domain = [('login', '=', name)]
user_ids = self._search(expression.AND([domain, args]), limit=limit, access_rights_uid=name_get_uid)
if not user_ids:
user_ids = self._search(expression.AND([[('name', operator, name)], args]), limit=limit, access_rights_uid=name_get_uid)
return user_ids
def copy(self, default=None):
self.ensure_one()
default = dict(default or {})
if ('name' not in default) and ('partner_id' not in default):
default['name'] = _("%s (copy)", self.name)
if 'login' not in default:
default['login'] = _("%s (copy)", self.login)
return super(Users, self).copy(default)
@api.model
@tools.ormcache('self._uid')
def context_get(self):
user = self.env.user
# determine field names to read
name_to_key = {
name: name[8:] if name.startswith('context_') else name
for name in self._fields
if name.startswith('context_') or name in ('lang', 'tz')
}
# use read() to not read other fields: this must work while modifying
# the schema of models res.users or res.partner
values = user.read(list(name_to_key), load=False)[0]
context = {
key: values[name]
for name, key in name_to_key.items()
}
# ensure lang is set and available
# context > request > company > english > any lang installed
langs = [code for code, _ in self.env['res.lang'].get_installed()]
lang = context.get('lang')
if lang not in langs:
lang = request.best_lang if request else None
if lang not in langs:
lang = self.env.user.company_id.partner_id.lang
if lang not in langs:
lang = DEFAULT_LANG
if lang not in langs:
lang = langs[0] if langs else DEFAULT_LANG
context['lang'] = lang
# ensure uid is set
context['uid'] = self.env.uid
return frozendict(context)
@tools.ormcache('self.id')
def _get_company_ids(self):
# use search() instead of `self.company_ids` to avoid extra query for `active_test`
domain = [('active', '=', True), ('user_ids', 'in', self.id)]
return self.env['res.company'].search(domain)._ids
@api.model
def action_get(self):
return self.sudo().env.ref('base.action_res_users_my').read()[0]
def check_super(self, passwd):
return check_super(passwd)
@api.model
def _get_invalidation_fields(self):
return {
'groups_id', 'active', 'lang', 'tz', 'company_id', 'company_ids',
*USER_PRIVATE_FIELDS,
*self._get_session_token_fields()
}
@api.model
def _update_last_login(self):
# only create new records to avoid any side-effect on concurrent transactions
# extra records will be deleted by the periodical garbage collection
self.env['res.users.log'].create({}) # populated by defaults
@api.model
def _get_login_domain(self, login):
return [('login', '=', login)]
@api.model
def _get_login_order(self):
return self._order
@classmethod
def _login(cls, db, login, password, user_agent_env):
if not password:
raise AccessDenied()
ip = request.httprequest.environ['REMOTE_ADDR'] if request else 'n/a'
try:
with cls.pool.cursor() as cr:
self = api.Environment(cr, SUPERUSER_ID, {})[cls._name]
with self._assert_can_auth(user=login):
user = self.search(self._get_login_domain(login), order=self._get_login_order(), limit=1)
if not user:
raise AccessDenied()
user = user.with_user(user)
user._check_credentials(password, user_agent_env)
tz = request.httprequest.cookies.get('tz') if request else None
if tz in pytz.all_timezones and (not user.tz or not user.login_date):
# first login or missing tz -> set tz to browser tz
user.tz = tz
user._update_last_login()
except AccessDenied:
_logger.info("Login failed for db:%s login:%s from %s", db, login, ip)
raise
_logger.info("Login successful for db:%s login:%s from %s", db, login, ip)
return user.id
@classmethod
def authenticate(cls, db, login, password, user_agent_env):
"""Verifies and returns the user ID corresponding to the given
``login`` and ``password`` combination, or False if there was
no matching user.
:param str db: the database on which user is trying to authenticate
:param str login: username
:param str password: user password
:param dict user_agent_env: environment dictionary describing any
relevant environment attributes
"""
uid = cls._login(db, login, password, user_agent_env=user_agent_env)
if user_agent_env and user_agent_env.get('base_location'):
with cls.pool.cursor() as cr:
env = api.Environment(cr, uid, {})
if env.user.has_group('base.group_system'):
# Successfully logged in as system user!
# Attempt to guess the web base url...
try:
base = user_agent_env['base_location']
ICP = env['ir.config_parameter']
if not ICP.get_param('web.base.url.freeze'):
ICP.set_param('web.base.url', base)
except Exception:
_logger.exception("Failed to update web.base.url configuration parameter")
return uid
@classmethod
@tools.ormcache('uid', 'passwd')
def check(cls, db, uid, passwd):
"""Verifies that the given (uid, password) is authorized for the database ``db`` and
raise an exception if it is not."""
if not passwd:
# empty passwords disallowed for obvious security reasons
raise AccessDenied()
with contextlib.closing(cls.pool.cursor()) as cr:
self = api.Environment(cr, uid, {})[cls._name]
with self._assert_can_auth(user=uid):
if not self.env.user.active:
raise AccessDenied()
self._check_credentials(passwd, {'interactive': False})
def _get_session_token_fields(self):
return {'id', 'login', 'password', 'active'}
@tools.ormcache('sid')
def _compute_session_token(self, sid):
""" Compute a session token given a session id and a user id """
# retrieve the fields used to generate the session token
session_fields = ', '.join(sorted(self._get_session_token_fields()))
self.env.cr.execute("""SELECT %s, (SELECT value FROM ir_config_parameter WHERE key='database.secret')
FROM res_users
WHERE id=%%s""" % (session_fields), (self.id,))
if self.env.cr.rowcount != 1:
self.clear_caches()
return False
data_fields = self.env.cr.fetchone()
# generate hmac key
key = (u'%s' % (data_fields,)).encode('utf-8')
# hmac the session id
data = sid.encode('utf-8')
h = hmac.new(key, data, sha256)
# keep in the cache the token
return h.hexdigest()
@api.model
def change_password(self, old_passwd, new_passwd):
"""Change current user password. Old password must be provided explicitly
to prevent hijacking an existing user session, or for cases where the cleartext
password is not used to authenticate requests.
:return: True
:raise: odoo.exceptions.AccessDenied when old password is wrong
:raise: odoo.exceptions.UserError when new password is not set or empty
"""
if not old_passwd:
raise AccessDenied()
# alternatively: use identitycheck wizard?
self._check_credentials(old_passwd, {'interactive': True})
# use self.env.user here, because it has uid=SUPERUSER_ID
self.env.user._change_password(new_passwd)
return True
def _change_password(self, new_passwd):
new_passwd = new_passwd.strip()
if not new_passwd:
raise UserError(_("Setting empty passwords is not allowed for security reasons!"))
ip = request.httprequest.environ['REMOTE_ADDR'] if request else 'n/a'
_logger.info(
"Password change for %r (#%d) by %r (#%d) from %s",
self.login, self.id,
self.env.user.login, self.env.user.id,
ip
)
self.password = new_passwd
def _deactivate_portal_user(self, **post):
"""Try to remove the current portal user.
This is used to give the opportunity to portal users to de-activate their accounts.
Indeed, as the portal users can easily create accounts, they will sometimes wish
it removed because they don't use this Odoo portal anymore.
Before this feature, they would have to contact the website or the support to get
their account removed, which could be tedious.
"""
non_portal_users = self.filtered(lambda user: not user.share)
if non_portal_users:
raise AccessDenied(_(
'Only the portal users can delete their accounts. '
'The user(s) %s can not be deleted.',
', '.join(non_portal_users.mapped('name')),
))
ip = request.httprequest.environ['REMOTE_ADDR'] if request else 'n/a'
res_users_deletion_values = []
for user in self:
_logger.info(
'Account deletion asked for "%s" (#%i) from %s. '
'Archive the user and remove login information.',
user.login, user.id, ip,
)
user.write({
'login': f'__deleted_user_{user.id}_{time.time()}',
'password': '',
'api_key_ids': Command.clear(),
})
res_users_deletion_values.append({
'user_id': user.id,
'state': 'todo',
})
# Here we try to archive the user / partner, and then add the user in a deletion
# queue, to remove it from the database. As the deletion might fail (if the
# partner is related to an invoice e.g.) it's important to archive it here.
try:
# A user can not self-deactivate
self.with_user(SUPERUSER_ID).action_archive()
except Exception:
pass
try:
self.partner_id.action_archive()
except Exception:
pass
# Add users in the deletion queue
self.env['res.users.deletion'].create(res_users_deletion_values)
def preference_save(self):
return {
'type': 'ir.actions.client',
'tag': 'reload_context',
}
@check_identity
def preference_change_password(self):
return {
'type': 'ir.actions.act_window',
'target': 'new',
'res_model': 'change.password.own',
'view_mode': 'form',
}
@api.model
def has_group(self, group_ext_id):
# use singleton's id if called on a non-empty recordset, otherwise
# context uid
uid = self.id
if uid and uid != self._uid:
self = self.with_user(uid)
return self._has_group(group_ext_id)
@api.model
@tools.ormcache('self._uid', 'group_ext_id')
def _has_group(self, group_ext_id):
"""Checks whether user belongs to given group.
:param str group_ext_id: external ID (XML ID) of the group.
Must be provided in fully-qualified form (``module.ext_id``), as there
is no implicit module to use..
:return: True if the current user is a member of the group with the
given external ID (XML ID), else False.
"""
assert group_ext_id and '.' in group_ext_id, "External ID '%s' must be fully qualified" % group_ext_id
module, ext_id = group_ext_id.split('.')
self._cr.execute("""SELECT 1 FROM res_groups_users_rel WHERE uid=%s AND gid IN
(SELECT res_id FROM ir_model_data WHERE module=%s AND name=%s AND model='res.groups')""",
(self._uid, module, ext_id))
return bool(self._cr.fetchone())
def _action_show(self):
"""If self is a singleton, directly access the form view. If it is a recordset, open a tree view"""
view_id = self.env.ref('base.view_users_form').id
action = {
'type': 'ir.actions.act_window',
'res_model': 'res.users',
'context': {'create': False},
}
if len(self) > 1:
action.update({
'name': _('Users'),
'view_mode': 'list,form',
'views': [[None, 'list'], [view_id, 'form']],
'domain': [('id', 'in', self.ids)],
})
else:
action.update({
'view_mode': 'form',
'views': [[view_id, 'form']],
'res_id': self.id,
})
return action
def action_show_groups(self):
self.ensure_one()
return {
'name': _('Groups'),
'view_mode': 'tree,form',
'res_model': 'res.groups',
'type': 'ir.actions.act_window',
'context': {'create': False, 'delete': False},
'domain': [('id','in', self.groups_id.ids)],
'target': 'current',
}
def action_show_accesses(self):
self.ensure_one()
return {
'name': _('Access Rights'),
'view_mode': 'tree,form',
'res_model': 'ir.model.access',
'type': 'ir.actions.act_window',
'context': {'create': False, 'delete': False},
'domain': [('id', 'in', self.groups_id.model_access.ids)],
'target': 'current',
}
def action_show_rules(self):
self.ensure_one()
return {
'name': _('Record Rules'),
'view_mode': 'tree,form',
'res_model': 'ir.rule',
'type': 'ir.actions.act_window',
'context': {'create': False, 'delete': False},
'domain': [('id', 'in', self.groups_id.rule_groups.ids)],
'target': 'current',
}
def _is_internal(self):
self.ensure_one()
return not self.sudo().share
def _is_public(self):
self.ensure_one()
return self.has_group('base.group_public')
def _is_system(self):
self.ensure_one()
return self.has_group('base.group_system')
def _is_admin(self):
self.ensure_one()
return self._is_superuser() or self.has_group('base.group_erp_manager')
def _is_superuser(self):
self.ensure_one()
return self.id == SUPERUSER_ID
@api.model
def get_company_currency_id(self):
return self.env.company.currency_id.id
@tools.ormcache()
def _crypt_context(self):
""" Passlib CryptContext instance used to encrypt and verify
passwords. Can be overridden if technical, legal or political matters
require different kdfs than the provided default.
The work factor of the default KDF can be configured using the
``password.hashing.rounds`` ICP.
"""
cfg = self.env['ir.config_parameter'].sudo()
return CryptContext(
# kdf which can be verified by the context. The default encryption
# kdf is the first of the list
['pbkdf2_sha512', 'plaintext'],
# deprecated algorithms are still verified as usual, but
# ``needs_update`` will indicate that the stored hash should be
# replaced by a more recent algorithm.
deprecated=['auto'],
pbkdf2_sha512__rounds=max(MIN_ROUNDS, int(cfg.get_param('password.hashing.rounds', 0))),
)
@contextlib.contextmanager
def _assert_can_auth(self, user=None):
""" Checks that the current environment even allows the current auth
request to happen.
The baseline implementation is a simple linear login cooldown: after
a number of failures trying to log-in, the user (by login) is put on
cooldown. During the cooldown period, login *attempts* are ignored
and logged.
:param user: user id or login, for logging purpose
.. warning::
The login counter is not shared between workers and not
specifically thread-safe, the feature exists mostly for
rate-limiting on large number of login attempts (brute-forcing
passwords) so that should not be much of an issue.
For a more complex strategy (e.g. database or distribute storage)
override this method. To simply change the cooldown criteria
(configuration, ...) override _on_login_cooldown instead.
.. note::
This is a *context manager* so it can be called around the login
procedure without having to call it itself.
"""
# needs request for remote address
if not request:
yield
return
reg = self.env.registry
failures_map = getattr(reg, '_login_failures', None)
if failures_map is None:
failures_map = reg._login_failures = collections.defaultdict(lambda : (0, datetime.datetime.min))
source = request.httprequest.remote_addr
(failures, previous) = failures_map[source]
if self._on_login_cooldown(failures, previous):
_logger.warning(
"Login attempt ignored for %s (user %r) on %s: "
"%d failures since last success, last failure at %s. "
"You can configure the number of login failures before a "
"user is put on cooldown as well as the duration in the "
"System Parameters. Disable this feature by setting "
"\"base.login_cooldown_after\" to 0.",
source, user or "?", self.env.cr.dbname, failures, previous)
if ipaddress.ip_address(source).is_private:
_logger.warning(
"The rate-limited IP address %s is classified as private "
"and *might* be a proxy. If your Odoo is behind a proxy, "
"it may be mis-configured. Check that you are running "
"Odoo in Proxy Mode and that the proxy is properly configured, see "
"https://www.odoo.com/documentation/16.0/administration/install/deploy.html#https for details.",
source
)
raise AccessDenied(_("Too many login failures, please wait a bit before trying again."))
try:
yield
except AccessDenied:
(failures, __) = reg._login_failures[source]
reg._login_failures[source] = (failures + 1, datetime.datetime.now())
raise
else:
reg._login_failures.pop(source, None)
def _on_login_cooldown(self, failures, previous):
""" Decides whether the user trying to log in is currently
"on cooldown" and not even allowed to attempt logging in.
The default cooldown function simply puts the user on cooldown for
seconds after each failure following the
th (0 to disable).
Can be overridden to implement more complex backoff strategies, or
e.g. wind down or reset the cooldown period as the previous failure
recedes into the far past.
:param int failures: number of recorded failures (since last success)
:param previous: timestamp of previous failure
:type previous: datetime.datetime
:returns: whether the user is currently in cooldown phase (true if cooldown, false if no cooldown and login can continue)
:rtype: bool
"""
cfg = self.env['ir.config_parameter'].sudo()
min_failures = int(cfg.get_param('base.login_cooldown_after', 5))
if min_failures == 0:
return False
delay = int(cfg.get_param('base.login_cooldown_duration', 60))
return failures >= min_failures and (datetime.datetime.now() - previous) < datetime.timedelta(seconds=delay)
def _register_hook(self):
if hasattr(self, 'check_credentials'):
_logger.warning("The check_credentials method of res.users has been renamed _check_credentials. One of your installed modules defines one, but it will not be called anymore.")
def _mfa_type(self):
""" If an MFA method is enabled, returns its type as a string. """
return
def _mfa_url(self):
""" If an MFA method is enabled, returns the URL for its second step. """
return
#
# Implied groups
#
# Extension of res.groups and res.users with a relation for "implied" or
# "inherited" groups. Once a user belongs to a group, it automatically belongs
# to the implied groups (transitively).
#
class GroupsImplied(models.Model):
_inherit = 'res.groups'
implied_ids = fields.Many2many('res.groups', 'res_groups_implied_rel', 'gid', 'hid',
string='Inherits', help='Users of this group automatically inherit those groups')
trans_implied_ids = fields.Many2many('res.groups', string='Transitively inherits',
compute='_compute_trans_implied', recursive=True)
@api.depends('implied_ids.trans_implied_ids')
def _compute_trans_implied(self):
# Compute the transitive closure recursively. Note that the performance
# is good, because the record cache behaves as a memo (the field is
# never computed twice on a given group.)
for g in self:
g.trans_implied_ids = g.implied_ids | g.implied_ids.trans_implied_ids
@api.model_create_multi
def create(self, vals_list):
user_ids_list = [vals.pop('users', None) for vals in vals_list]
groups = super(GroupsImplied, self).create(vals_list)
for group, user_ids in zip(groups, user_ids_list):
if user_ids:
# delegate addition of users to add implied groups
group.write({'users': user_ids})
return groups
def write(self, values):
res = super(GroupsImplied, self).write(values)
if values.get('users') or values.get('implied_ids'):
# add all implied groups (to all users of each group)
for group in self:
self._cr.execute("""
WITH RECURSIVE group_imply(gid, hid) AS (
SELECT gid, hid
FROM res_groups_implied_rel
UNION
SELECT i.gid, r.hid
FROM res_groups_implied_rel r
JOIN group_imply i ON (i.hid = r.gid)
)
INSERT INTO res_groups_users_rel (gid, uid)
SELECT i.hid, r.uid
FROM group_imply i, res_groups_users_rel r
WHERE r.gid = i.gid
AND i.gid = %(gid)s
EXCEPT
SELECT r.gid, r.uid
FROM res_groups_users_rel r
JOIN group_imply i ON (r.gid = i.hid)
WHERE i.gid = %(gid)s
""", dict(gid=group.id))
self._check_one_user_type()
return res
def _apply_group(self, implied_group):
""" Add the given group to the groups implied by the current group
:param implied_group: the implied group to add
"""
groups = self.filtered(lambda g: implied_group not in g.implied_ids)
groups.write({'implied_ids': [Command.link(implied_group.id)]})
def _remove_group(self, implied_group):
""" Remove the given group from the implied groups of the current group
:param implied_group: the implied group to remove
"""
groups = self.filtered(lambda g: implied_group in g.implied_ids)
if groups:
groups.write({'implied_ids': [Command.unlink(implied_group.id)]})
# if user belongs to implied_group thanks to another group, don't remove him
# this avoids readding the template user and triggering the mechanism at 121cd0d6084cb28
users_to_unlink = [
user
for user in groups.with_context(active_test=False).users
if implied_group not in (user.groups_id - implied_group).trans_implied_ids
]
if users_to_unlink:
# do not remove inactive users (e.g. default)
implied_group.with_context(active_test=False).write(
{'users': [Command.unlink(user.id) for user in users_to_unlink]})
class UsersImplied(models.Model):
_inherit = 'res.users'
@api.model_create_multi
def create(self, vals_list):
for values in vals_list:
if 'groups_id' in values:
# complete 'groups_id' with implied groups
user = self.new(values)
gs = user.groups_id._origin
gs = gs | gs.trans_implied_ids
values['groups_id'] = type(self).groups_id.convert_to_write(gs, user)
return super(UsersImplied, self).create(vals_list)
def write(self, values):
if not values.get('groups_id'):
return super(UsersImplied, self).write(values)
users_before = self.filtered(lambda u: u._is_internal())
res = super(UsersImplied, self).write(values)
demoted_users = users_before.filtered(lambda u: not u._is_internal())
if demoted_users:
# demoted users are restricted to the assigned groups only
vals = {'groups_id': [Command.clear()] + values['groups_id']}
super(UsersImplied, demoted_users).write(vals)
# add implied groups for all users (in batches)
users_batch = defaultdict(self.browse)
for user in self:
users_batch[user.groups_id] += user
for groups, users in users_batch.items():
gs = set(concat(g.trans_implied_ids for g in groups))
vals = {'groups_id': [Command.link(g.id) for g in gs]}
super(UsersImplied, users).write(vals)
return res
#
# Virtual checkbox and selection for res.user form view
#
# Extension of res.groups and res.users for the special groups view in the users
# form. This extension presents groups with selection and boolean widgets:
# - Groups are shown by application, with boolean and/or selection fields.
# Selection fields typically defines a role "Name" for the given application.
# - Uncategorized groups are presented as boolean fields and grouped in a
# section "Others".
#
# The user form view is modified by an inherited view (base.user_groups_view);
# the inherited view replaces the field 'groups_id' by a set of reified group
# fields (boolean or selection fields). The arch of that view is regenerated
# each time groups are changed.
#
# Naming conventions for reified groups fields:
# - boolean field 'in_group_ID' is True iff
# ID is in 'groups_id'
# - selection field 'sel_groups_ID1_..._IDk' is ID iff
# ID is in 'groups_id' and ID is maximal in the set {ID1, ..., IDk}
#
class GroupsView(models.Model):
_inherit = 'res.groups'
@api.model_create_multi
def create(self, vals_list):
groups = super().create(vals_list)
self._update_user_groups_view()
# actions.get_bindings() depends on action records
self.env['ir.actions.actions'].clear_caches()
return groups
def write(self, values):
# determine which values the "user groups view" depends on
VIEW_DEPS = ('category_id', 'implied_ids')
view_values0 = [g[name] for name in VIEW_DEPS if name in values for g in self]
res = super(GroupsView, self).write(values)
# update the "user groups view" only if necessary
view_values1 = [g[name] for name in VIEW_DEPS if name in values for g in self]
if view_values0 != view_values1:
self._update_user_groups_view()
# actions.get_bindings() depends on action records
self.env['ir.actions.actions'].clear_caches()
return res
def unlink(self):
res = super(GroupsView, self).unlink()
self._update_user_groups_view()
# actions.get_bindings() depends on action records
self.env['ir.actions.actions'].clear_caches()
return res
def _get_hidden_extra_categories(self):
return ['base.module_category_hidden', 'base.module_category_extra', 'base.module_category_usability']
@api.model
def _update_user_groups_view(self):
""" Modify the view with xmlid ``base.user_groups_view``, which inherits
the user form view, and introduces the reified group fields.
"""
# remove the language to avoid translations, it will be handled at the view level
self = self.with_context(lang=None)
# We have to try-catch this, because at first init the view does not
# exist but we are already creating some basic groups.
view = self.env.ref('base.user_groups_view', raise_if_not_found=False)
if not (view and view._name == 'ir.ui.view'):
return
if self._context.get('install_filename') or self._context.get(MODULE_UNINSTALL_FLAG):
# use a dummy view during install/upgrade/uninstall
xml = E.field(name="groups_id", position="after")
else:
group_no_one = view.env.ref('base.group_no_one')
group_employee = view.env.ref('base.group_user')
xml0, xml1, xml2, xml3, xml4 = [], [], [], [], []
xml_by_category = {}
xml1.append(E.separator(string='User Type', colspan="2", groups='base.group_no_one'))
user_type_field_name = ''
user_type_readonly = str({})
sorted_tuples = sorted(self.get_groups_by_application(),
key=lambda t: t[0].xml_id != 'base.module_category_user_type')
for app, kind, gs, category_name in sorted_tuples: # we process the user type first
attrs = {}
# hide groups in categories 'Hidden' and 'Extra' (except for group_no_one)
if app.xml_id in self._get_hidden_extra_categories():
attrs['groups'] = 'base.group_no_one'
# User type (employee, portal or public) is a separated group. This is the only 'selection'
# group of res.groups without implied groups (with each other).
if app.xml_id == 'base.module_category_user_type':
# application name with a selection field
field_name = name_selection_groups(gs.ids)
# test_reified_groups, put the user category type in invisible
# as it's used in domain of attrs of other fields,
# and the normal user category type field node is wrapped in a `groups="base.no_one"`,
# and is therefore removed when not in debug mode.
xml0.append(E.field(name=field_name, invisible="1", on_change="1"))
user_type_field_name = field_name
user_type_readonly = str({'readonly': [(user_type_field_name, '!=', group_employee.id)]})
attrs['widget'] = 'radio'
# Trigger the on_change of this "virtual field"
attrs['on_change'] = '1'
xml1.append(E.field(name=field_name, **attrs))
xml1.append(E.newline())
elif kind == 'selection':
# application name with a selection field
field_name = name_selection_groups(gs.ids)
attrs['attrs'] = user_type_readonly
attrs['on_change'] = '1'
if category_name not in xml_by_category:
xml_by_category[category_name] = []
xml_by_category[category_name].append(E.newline())
xml_by_category[category_name].append(E.field(name=field_name, **attrs))
xml_by_category[category_name].append(E.newline())
# add duplicate invisible field so default values are saved on create
if attrs.get('groups') == 'base.group_no_one':
xml0.append(E.field(name=field_name, **dict(attrs, invisible="1", groups='!base.group_no_one')))
else:
# application separator with boolean fields
app_name = app.name or 'Other'
xml4.append(E.separator(string=app_name, **attrs))
left_group, right_group = [], []
attrs['attrs'] = user_type_readonly
# we can't use enumerate, as we sometime skip groups
group_count = 0
for g in gs:
field_name = name_boolean_group(g.id)
dest_group = left_group if group_count % 2 == 0 else right_group
if g == group_no_one:
# make the group_no_one invisible in the form view
dest_group.append(E.field(name=field_name, invisible="1", **attrs))
else:
dest_group.append(E.field(name=field_name, **attrs))
# add duplicate invisible field so default values are saved on create
xml0.append(E.field(name=field_name, **dict(attrs, invisible="1", groups='!base.group_no_one')))
group_count += 1
xml4.append(E.group(*left_group))
xml4.append(E.group(*right_group))
xml4.append({'class': "o_label_nowrap"})
if user_type_field_name:
user_type_attrs = {'invisible': [(user_type_field_name, '!=', group_employee.id)]}
else:
user_type_attrs = {}
for xml_cat in sorted(xml_by_category.keys(), key=lambda it: it[0]):
master_category_name = xml_cat[1]
xml3.append(E.group(*(xml_by_category[xml_cat]), string=master_category_name))
field_name = 'user_group_warning'
user_group_warning_xml = E.div({
'class': "alert alert-warning",
'role': "alert",
'colspan': "2",
'attrs': str({'invisible': [(field_name, '=', False)]})
})
user_group_warning_xml.append(E.label({
'for': field_name,
'string': "Access Rights Mismatch",
'class': "text text-warning fw-bold",
}))
user_group_warning_xml.append(E.field(name=field_name))
xml2.append(user_group_warning_xml)
xml = E.field(
*(xml0),
E.group(*(xml1), groups="base.group_no_one"),
E.group(*(xml2), attrs=str(user_type_attrs)),
E.group(*(xml3), attrs=str(user_type_attrs)),
E.group(*(xml4), attrs=str(user_type_attrs), groups="base.group_no_one"), name="groups_id", position="replace")
xml.addprevious(etree.Comment("GENERATED AUTOMATICALLY BY GROUPS"))
# serialize and update the view
xml_content = etree.tostring(xml, pretty_print=True, encoding="unicode")
if xml_content != view.arch: # avoid useless xml validation if no change
new_context = dict(view._context)
new_context.pop('install_filename', None) # don't set arch_fs for this computed view
new_context['lang'] = None
view.with_context(new_context).write({'arch': xml_content})
def get_application_groups(self, domain):
""" Return the non-share groups that satisfy ``domain``. """
return self.search(domain + [('share', '=', False)])
@api.model
def get_groups_by_application(self):
""" Return all groups classified by application (module category), as a list::
[(app, kind, groups), ...],
where ``app`` and ``groups`` are recordsets, and ``kind`` is either
``'boolean'`` or ``'selection'``. Applications are given in sequence
order. If ``kind`` is ``'selection'``, ``groups`` are given in
reverse implication order.
"""
def linearize(app, gs, category_name):
# 'User Type' is an exception
if app.xml_id == 'base.module_category_user_type':
return (app, 'selection', gs.sorted('id'), category_name)
# determine sequence order: a group appears after its implied groups
order = {g: len(g.trans_implied_ids & gs) for g in gs}
# We want a selection for Accounting too. Auditor and Invoice are both
# children of Accountant, but the two of them make a full accountant
# so it makes no sense to have checkboxes.
if app.xml_id == 'base.module_category_accounting_accounting':
return (app, 'selection', gs.sorted(key=order.get), category_name)
# check whether order is total, i.e., sequence orders are distinct
if len(set(order.values())) == len(gs):
return (app, 'selection', gs.sorted(key=order.get), category_name)
else:
return (app, 'boolean', gs, (100, 'Other'))
# classify all groups by application
by_app, others = defaultdict(self.browse), self.browse()
for g in self.get_application_groups([]):
if g.category_id:
by_app[g.category_id] += g
else:
others += g
# build the result
res = []
for app, gs in sorted(by_app.items(), key=lambda it: it[0].sequence or 0):
if app.parent_id:
res.append(linearize(app, gs, (app.parent_id.sequence, app.parent_id.name)))
else:
res.append(linearize(app, gs, (100, 'Other')))
if others:
res.append((self.env['ir.module.category'], 'boolean', others, (100,'Other')))
return res
class ModuleCategory(models.Model):
_inherit = "ir.module.category"
def write(self, values):
res = super().write(values)
if "name" in values:
self.env["res.groups"]._update_user_groups_view()
return res
def unlink(self):
res = super().unlink()
self.env["res.groups"]._update_user_groups_view()
return res
class UsersView(models.Model):
_inherit = 'res.users'
user_group_warning = fields.Text(string="User Group Warning", compute="_compute_user_group_warning")
@api.depends('groups_id', 'share')
@api.depends_context('show_user_group_warning')
def _compute_user_group_warning(self):
self.user_group_warning = False
if self._context.get('show_user_group_warning'):
for user in self.filtered_domain([('share', '=', False)]):
group_inheritance_warnings = self._prepare_warning_for_group_inheritance(user)
if group_inheritance_warnings:
user.user_group_warning = group_inheritance_warnings
@api.model_create_multi
def create(self, vals_list):
new_vals_list = []
for values in vals_list:
new_vals_list.append(self._remove_reified_groups(values))
users = super(UsersView, self).create(new_vals_list)
group_multi_company_id = self.env['ir.model.data']._xmlid_to_res_id(
'base.group_multi_company', raise_if_not_found=False)
if group_multi_company_id:
for user in users:
if len(user.company_ids) <= 1 and group_multi_company_id in user.groups_id.ids:
user.write({'groups_id': [Command.unlink(group_multi_company_id)]})
elif len(user.company_ids) > 1 and group_multi_company_id not in user.groups_id.ids:
user.write({'groups_id': [Command.link(group_multi_company_id)]})
return users
def write(self, values):
values = self._remove_reified_groups(values)
res = super(UsersView, self).write(values)
if 'company_ids' not in values:
return res
group_multi_company = self.env.ref('base.group_multi_company', False)
if group_multi_company:
for user in self:
if len(user.company_ids) <= 1 and user.id in group_multi_company.users.ids:
user.write({'groups_id': [Command.unlink(group_multi_company.id)]})
elif len(user.company_ids) > 1 and user.id not in group_multi_company.users.ids:
user.write({'groups_id': [Command.link(group_multi_company.id)]})
return res
@api.model
def new(self, values=None, origin=None, ref=None):
if values is None:
values = {}
values = self._remove_reified_groups(values)
user = super().new(values=values, origin=origin, ref=ref)
group_multi_company = self.env.ref('base.group_multi_company', False)
if group_multi_company and 'company_ids' in values:
if len(user.company_ids) <= 1 and user.id in group_multi_company.users.ids:
user.update({'groups_id': [Command.unlink(group_multi_company.id)]})
elif len(user.company_ids) > 1 and user.id not in group_multi_company.users.ids:
user.update({'groups_id': [Command.link(group_multi_company.id)]})
return user
def _prepare_warning_for_group_inheritance(self, user):
""" Check (updated) groups configuration for user. If implieds groups
will be added back due to inheritance and hierarchy in groups return
a message explaining the missing groups.
:param res.users user: target user
:return: string to display in a warning
"""
# Current groups of the user
current_groups = user.groups_id.filtered('trans_implied_ids')
current_groups_by_category = defaultdict(lambda: self.env['res.groups'])
for group in current_groups:
current_groups_by_category[group.category_id] |= group.trans_implied_ids.filtered(lambda grp: grp.category_id == group.category_id)
missing_groups = {}
# We don't want to show warning for "Technical" and "Extra Rights" groups
categories_to_ignore = self.env.ref('base.module_category_hidden') + self.env.ref('base.module_category_usability')
for group in current_groups:
# Get the updated group from current groups
missing_implied_groups = group.implied_ids - user.groups_id
# Get the missing group needed in updated group's category (For example, someone changes
# Sales: Admin to Sales: User, but Field Service is already set to Admin, so here in the
# 'Sales' category, we will at the minimum need Admin group)
missing_implied_groups = missing_implied_groups.filtered(
lambda g:
g.category_id not in (group.category_id | categories_to_ignore) and
g not in current_groups_by_category[g.category_id] and
(self.user_has_groups('base.group_no_one') or g.category_id)
)
if missing_implied_groups:
# prepare missing group message, by categories
missing_groups[group] = ", ".join(f'"{missing_group.category_id.name or _("Other")}: {missing_group.name}"'
for missing_group in missing_implied_groups)
return "\n".join(
_('Since %(user)s is a/an "%(category)s: %(group)s", they will at least obtain the right %(missing_group_message)s',
user=user.name,
category=group.category_id.name or _('Other'),
group=group.name,
missing_group_message=missing_group_message
) for group, missing_group_message in missing_groups.items()
)
def _remove_reified_groups(self, values):
""" return `values` without reified group fields """
add, rem = [], []
values1 = {}
for key, val in values.items():
if is_boolean_group(key):
(add if val else rem).append(get_boolean_group(key))
elif is_selection_groups(key):
rem += get_selection_groups(key)
if val:
add.append(val)
else:
values1[key] = val
if 'groups_id' not in values and (add or rem):
added = self.env['res.groups'].sudo().browse(add)
added |= added.mapped('trans_implied_ids')
added_ids = added._ids
# remove group ids in `rem` and add group ids in `add`
# do not remove groups that are added by implied
values1['groups_id'] = list(itertools.chain(
zip(repeat(3), [gid for gid in rem if gid not in added_ids]),
zip(repeat(4), add)
))
return values1
@api.model
def default_get(self, fields):
group_fields, fields = partition(is_reified_group, fields)
fields1 = (fields + ['groups_id']) if group_fields else fields
values = super(UsersView, self).default_get(fields1)
self._add_reified_groups(group_fields, values)
return values
def onchange(self, values, field_name, field_onchange):
# field_name can be either a string, a list or Falsy
if isinstance(field_name, list):
names = field_name
elif field_name:
names = [field_name]
else:
names = []
if any(is_reified_group(field) for field in names):
field_name = (
['groups_id']
+ [field for field in names if not is_reified_group(field)]
)
values.pop('groups_id', None)
values.update(self._remove_reified_groups(values))
field_onchange['groups_id'] = ''
result = super().onchange(values, field_name, field_onchange)
if not field_name: # merged default_get
self._add_reified_groups(
filter(is_reified_group, field_onchange),
result.setdefault('value', {})
)
return result
def read(self, fields=None, load='_classic_read'):
# determine whether reified groups fields are required, and which ones
fields1 = fields or list(self.fields_get())
group_fields, other_fields = partition(is_reified_group, fields1)
# read regular fields (other_fields); add 'groups_id' if necessary
drop_groups_id = False
if group_fields and fields:
if 'groups_id' not in other_fields:
other_fields.append('groups_id')
drop_groups_id = True
else:
other_fields = fields
res = super(UsersView, self).read(other_fields, load=load)
# post-process result to add reified group fields
if group_fields:
for values in res:
self._add_reified_groups(group_fields, values)
if drop_groups_id:
values.pop('groups_id', None)
return res
@api.model
def read_group(self, domain, fields, groupby, offset=0, limit=None, orderby=False, lazy=True):
if fields:
# ignore reified fields
fields = [fname for fname in fields if not is_reified_group(fname)]
return super().read_group(domain, fields, groupby, offset=offset, limit=limit, orderby=orderby, lazy=lazy)
def _add_reified_groups(self, fields, values):
""" add the given reified group fields into `values` """
gids = set(parse_m2m(values.get('groups_id') or []))
for f in fields:
if is_boolean_group(f):
values[f] = get_boolean_group(f) in gids
elif is_selection_groups(f):
# determine selection groups, in order
sel_groups = self.env['res.groups'].sudo().browse(get_selection_groups(f))
sel_order = {g: len(g.trans_implied_ids & sel_groups) for g in sel_groups}
sel_groups = sel_groups.sorted(key=sel_order.get)
# determine which ones are in gids
selected = [gid for gid in sel_groups.ids if gid in gids]
# if 'Internal User' is in the group, this is the "User Type" group
# and we need to show 'Internal User' selected, not Public/Portal.
if self.env.ref('base.group_user').id in selected:
values[f] = self.env.ref('base.group_user').id
else:
values[f] = selected and selected[-1] or False
@api.model
def fields_get(self, allfields=None, attributes=None):
res = super(UsersView, self).fields_get(allfields, attributes=attributes)
# add reified groups fields
for app, kind, gs, category_name in self.env['res.groups'].sudo().get_groups_by_application():
if kind == 'selection':
# 'User Type' should not be 'False'. A user is either 'employee', 'portal' or 'public' (required).
selection_vals = [(False, '')]
if app.xml_id == 'base.module_category_user_type':
selection_vals = []
field_name = name_selection_groups(gs.ids)
if allfields and field_name not in allfields:
continue
# selection group field
tips = []
if app.description:
tips.append(app.description + '\n')
tips.extend('%s: %s' % (g.name, g.comment) for g in gs if g.comment)
res[field_name] = {
'type': 'selection',
'string': app.name or _('Other'),
'selection': selection_vals + [(g.id, g.name) for g in gs],
'help': '\n'.join(tips),
'exportable': False,
'selectable': False,
}
else:
# boolean group fields
for g in gs:
field_name = name_boolean_group(g.id)
if allfields and field_name not in allfields:
continue
res[field_name] = {
'type': 'boolean',
'string': g.name,
'help': g.comment,
'exportable': False,
'selectable': False,
}
# add self readable/writable fields
missing = set(self.SELF_WRITEABLE_FIELDS).union(self.SELF_READABLE_FIELDS).difference(res.keys())
if allfields:
missing = missing.intersection(allfields)
if missing:
res.update({
key: dict(values, readonly=key not in self.SELF_WRITEABLE_FIELDS, searchable=False)
for key, values in super(UsersView, self.sudo()).fields_get(missing, attributes).items()
})
return res
class CheckIdentity(models.TransientModel):
""" Wizard used to re-check the user's credentials (password)
Might be useful before the more security-sensitive operations, users might be
leaving their computer unlocked & unattended. Re-checking credentials mitigates
some of the risk of a third party using such an unattended device to manipulate
the account.
"""
_name = 'res.users.identitycheck'
_description = "Password Check Wizard"
request = fields.Char(readonly=True, groups=fields.NO_ACCESS)
password = fields.Char()
def run_check(self):
assert request, "This method can only be accessed over HTTP"
try:
self.create_uid._check_credentials(self.password, {'interactive': True})
except AccessDenied:
raise UserError(_("Incorrect Password, try again or click on Forgot Password to reset your password."))
self.password = False
request.session['identity-check-last'] = time.time()
ctx, model, ids, method = json.loads(self.sudo().request)
method = getattr(self.env(context=ctx)[model].browse(ids), method)
assert getattr(method, '__has_check_identity', False)
return method()
#----------------------------------------------------------
# change password wizard
#----------------------------------------------------------
class ChangePasswordWizard(models.TransientModel):
""" A wizard to manage the change of users' passwords. """
_name = "change.password.wizard"
_description = "Change Password Wizard"
def _default_user_ids(self):
user_ids = self._context.get('active_model') == 'res.users' and self._context.get('active_ids') or []
return [
Command.create({'user_id': user.id, 'user_login': user.login})
for user in self.env['res.users'].browse(user_ids)
]
user_ids = fields.One2many('change.password.user', 'wizard_id', string='Users', default=_default_user_ids)
def change_password_button(self):
self.ensure_one()
self.user_ids.change_password_button()
if self.env.user in self.user_ids.user_id:
return {'type': 'ir.actions.client', 'tag': 'reload'}
return {'type': 'ir.actions.act_window_close'}
class ChangePasswordUser(models.TransientModel):
""" A model to configure users in the change password wizard. """
_name = 'change.password.user'
_description = 'User, Change Password Wizard'
wizard_id = fields.Many2one('change.password.wizard', string='Wizard', required=True, ondelete='cascade')
user_id = fields.Many2one('res.users', string='User', required=True, ondelete='cascade')
user_login = fields.Char(string='User Login', readonly=True)
new_passwd = fields.Char(string='New Password', default='')
def change_password_button(self):
for line in self:
if not line.new_passwd:
raise UserError(_("Before clicking on 'Change Password', you have to write a new password."))
line.user_id._change_password(line.new_passwd)
# don't keep temporary passwords in the database longer than necessary
self.write({'new_passwd': False})
class ChangePasswordOwn(models.TransientModel):
_name = "change.password.own"
_description = "User, change own password wizard"
_transient_max_hours = 0.1
new_password = fields.Char(string="New Password")
confirm_password = fields.Char(string="New Password (Confirmation)")
@api.constrains('new_password', 'confirm_password')
def _check_password_confirmation(self):
if self.confirm_password != self.new_password:
raise ValidationError(_("The new password and its confirmation must be identical."))
@check_identity
def change_password(self):
self.env.user._change_password(self.new_password)
self.unlink()
# reload to avoid a session expired error
# would be great to update the session id in-place, but it seems dicey
return {'type': 'ir.actions.client', 'tag': 'reload'}
# API keys support
API_KEY_SIZE = 20 # in bytes
INDEX_SIZE = 8 # in hex digits, so 4 bytes, or 20% of the key
KEY_CRYPT_CONTEXT = CryptContext(
# default is 29000 rounds which is 25~50ms, which is probably unnecessary
# given in this case all the keys are completely random data: dictionary
# attacks on API keys isn't much of a concern
['pbkdf2_sha512'], pbkdf2_sha512__rounds=6000,
)
class APIKeysUser(models.Model):
_inherit = 'res.users'
api_key_ids = fields.One2many('res.users.apikeys', 'user_id', string="API Keys")
@property
def SELF_READABLE_FIELDS(self):
return super().SELF_READABLE_FIELDS + ['api_key_ids']
@property
def SELF_WRITEABLE_FIELDS(self):
return super().SELF_WRITEABLE_FIELDS + ['api_key_ids']
def _rpc_api_keys_only(self):
""" To be overridden if RPC access needs to be restricted to API keys, e.g. for 2FA """
return False
def _check_credentials(self, password, user_agent_env):
user_agent_env = user_agent_env or {}
if user_agent_env.get('interactive', True):
if 'interactive' not in user_agent_env:
_logger.warning(
"_check_credentials without 'interactive' env key, assuming interactive login. \
Check calls and overrides to ensure the 'interactive' key is properly set in \
all _check_credentials environments"
)
return super()._check_credentials(password, user_agent_env)
if not self.env.user._rpc_api_keys_only():
try:
return super()._check_credentials(password, user_agent_env)
except AccessDenied:
pass
# 'rpc' scope does not really exist, we basically require a global key (scope NULL)
if self.env['res.users.apikeys']._check_credentials(scope='rpc', key=password) == self.env.uid:
return
raise AccessDenied()
@check_identity
def api_key_wizard(self):
return {
'type': 'ir.actions.act_window',
'res_model': 'res.users.apikeys.description',
'name': 'New API Key',
'target': 'new',
'views': [(False, 'form')],
}
class APIKeys(models.Model):
_name = 'res.users.apikeys'
_description = 'Users API Keys'
_auto = False # so we can have a secret column
name = fields.Char("Description", required=True, readonly=True)
user_id = fields.Many2one('res.users', index=True, required=True, readonly=True, ondelete="cascade")
scope = fields.Char("Scope", readonly=True)
create_date = fields.Datetime("Creation Date", readonly=True)
def init(self):
table = sql.Identifier(self._table)
self.env.cr.execute(sql.SQL("""
CREATE TABLE IF NOT EXISTS {table} (
id serial primary key,
name varchar not null,
user_id integer not null REFERENCES res_users(id),
scope varchar,
index varchar({index_size}) not null CHECK (char_length(index) = {index_size}),
key varchar not null,
create_date timestamp without time zone DEFAULT (now() at time zone 'utc')
)
""").format(table=table, index_size=sql.Placeholder('index_size')), {
'index_size': INDEX_SIZE
})
index_name = self._table + "_user_id_index_idx"
if len(index_name) > 63:
# unique determinist index name
index_name = self._table[:50] + "_idx_" + sha256(self._table.encode()).hexdigest()[:8]
self.env.cr.execute(sql.SQL("""
CREATE INDEX IF NOT EXISTS {index_name} ON {table} (user_id, index);
""").format(
table=table,
index_name=sql.Identifier(index_name)
))
@check_identity
def remove(self):
return self._remove()
def _remove(self):
"""Use the remove() method to remove an API Key. This method implement logic,
but won't check the identity (mainly used to remove trusted devices)"""
if not self:
return {'type': 'ir.actions.act_window_close'}
if self.env.is_system() or self.mapped('user_id') == self.env.user:
ip = request.httprequest.environ['REMOTE_ADDR'] if request else 'n/a'
_logger.info("API key(s) removed: scope: <%s> for '%s' (#%s) from %s",
self.mapped('scope'), self.env.user.login, self.env.uid, ip)
self.sudo().unlink()
return {'type': 'ir.actions.act_window_close'}
raise AccessError(_("You can not remove API keys unless they're yours or you are a system user"))
def _check_credentials(self, *, scope, key):
assert scope, "scope is required"
index = key[:INDEX_SIZE]
self.env.cr.execute('''
SELECT user_id, key
FROM {} INNER JOIN res_users u ON (u.id = user_id)
WHERE u.active and index = %s AND (scope IS NULL OR scope = %s)
'''.format(self._table),
[index, scope])
for user_id, current_key in self.env.cr.fetchall():
if KEY_CRYPT_CONTEXT.verify(key, current_key):
return user_id
def _generate(self, scope, name):
"""Generates an api key.
:param str scope: the scope of the key. If None, the key will give access to any rpc.
:param str name: the name of the key, mainly intended to be displayed in the UI.
:return: str: the key.
"""
# no need to clear the LRU when *adding* a key, only when removing
k = binascii.hexlify(os.urandom(API_KEY_SIZE)).decode()
self.env.cr.execute("""
INSERT INTO {table} (name, user_id, scope, key, index)
VALUES (%s, %s, %s, %s, %s)
RETURNING id
""".format(table=self._table),
[name, self.env.user.id, scope, KEY_CRYPT_CONTEXT.hash(k), k[:INDEX_SIZE]])
ip = request.httprequest.environ['REMOTE_ADDR'] if request else 'n/a'
_logger.info("%s generated: scope: <%s> for '%s' (#%s) from %s",
self._description, scope, self.env.user.login, self.env.uid, ip)
return k
class APIKeyDescription(models.TransientModel):
_name = 'res.users.apikeys.description'
_description = 'API Key Description'
name = fields.Char("Description", required=True)
@check_identity
def make_key(self):
# only create keys for users who can delete their keys
self.check_access_make_key()
description = self.sudo()
k = self.env['res.users.apikeys']._generate(None, self.sudo().name)
description.unlink()
return {
'type': 'ir.actions.act_window',
'res_model': 'res.users.apikeys.show',
'name': _('API Key Ready'),
'views': [(False, 'form')],
'target': 'new',
'context': {
'default_key': k,
}
}
def check_access_make_key(self):
if not self.user_has_groups('base.group_user'):
raise AccessError(_("Only internal users can create API keys"))
class APIKeyShow(models.AbstractModel):
_name = 'res.users.apikeys.show'
_description = 'Show API Key'
# the field 'id' is necessary for the onchange that returns the value of 'key'
id = fields.Id()
key = fields.Char(readonly=True)