Mar 28 : [UPDT] Updated 'access_restriction_by_ip'

4 weeks ago · 8c666cd647
6 changed files with 47 additions and 8 deletions
--- a/access_restriction_by_ip/manifest.py
+++ b/access_restriction_by_ip/manifest.py
@ -18,7 +18,7 @@
 {
    'name': 'Access Restriction By IP',
    'summary': """User Can Access His Account Only From Specified IP Address""",
-    'version': '16.0.1.0.0',
+    'version': '16.0.1.0.1',
    'description': """User Can Access His Account Only From Specified IP Address""",
    'live_test_url': 'https://youtu.be/nn6dAL6eKPc',
    'author': 'Cybrosys Techno Solutions',
--- a/access_restriction_by_ip/controllers/init.py
+++ b/access_restriction_by_ip/controllers/init.py
@ -17,4 +17,4 @@
 #
 ##############################################################################
 from . import main
-
+from . import session
--- a/access_restriction_by_ip/controllers/main.py
+++ b/access_restriction_by_ip/controllers/main.py
@ -39,7 +39,6 @@ class Home(home.Home):
        request.params['login_success'] = False
        if request.httprequest.method == 'GET' and redirect and request.session.uid:
            return request.redirect(redirect)
-
        # simulate hybrid auth=user/auth=public, despite using auth=none to be able
        # to redirect users when no db is selected - cfr ensure_db()
        if request.env.uid is None:
@ -49,7 +48,6 @@ class Home(home.Home):
            else:
                # auth=user
                request.update_env(user=request.session.uid)
-
        values = {k: v for k, v in request.params.items() if k in SIGN_UP_REQUEST_PARAMS}
        try:
            values['databases'] = http.db_list()
@ -103,7 +101,6 @@ class Home(home.Home):

        if not odoo.tools.config['list_db']:
            values['disable_database_manager'] = True
-
        response = request.render('web.login', values)
        response.headers['X-Frame-Options'] = 'SAMEORIGIN'
        response.headers['Content-Security-Policy'] = "frame-ancestors 'self'"
--- a/access_restriction_by_ip/controllers/session.py
+++ b/access_restriction_by_ip/controllers/session.py
@ -0,0 +1,39 @@
+# -*- coding: utf-8 -*-
+
+import odoo
+from odoo.addons.web.controllers.session import Session
+from odoo import http
+from odoo.exceptions import AccessError
+from odoo.http import request
+
+
+class AccessRestrict(Session):
+    @http.route()
+    def authenticate(self, db, login, password, base_location=None):
+        if not http.db_filter([db]):
+            raise AccessError("Database not found.")
+        pre_uid = request.session.authenticate(db, login, password)
+        ip_address = request.httprequest.environ['REMOTE_ADDR']
+        user = request.env['res.users'].sudo().browse(pre_uid).exists()
+        if user and user.allowed_ips:
+            ip_list = set(user.allowed_ips.mapped('ip_address'))
+            if ip_address not in ip_list:
+                raise AccessError("Not allowed to login from this IP")
+        if pre_uid != request.session.uid:
+            # Crapy workaround for unupdatable Odoo Mobile App iOS (Thanks Apple :@) and Android
+            # Correct behavior should be to raise AccessError("Renewing an expired session for user that has multi-factor-authentication is not supported. Please use /web/login instead.")
+            return {'uid': None}
+
+        request.session.db = db
+        registry = odoo.modules.registry.Registry(db)
+        with registry.cursor() as cr:
+            env = odoo.api.Environment(cr, request.session.uid, request.session.context)
+            if not request.db:
+                # request._save_session would not update the session_token
+                # as it lacks an environment, rotating the session myself
+                http.root.session_store.rotate(request.session, env)
+                request.future_response.set_cookie(
+                    'session_id', request.session.sid,
+                    max_age=http.SESSION_LIFETIME, httponly=True
+                )
+            return env['ir.http'].session_info()
--- a/access_restriction_by_ip/doc/RELEASE_NOTES.md
+++ b/access_restriction_by_ip/doc/RELEASE_NOTES.md
@ -1,12 +1,14 @@
 ## Module <access_restriction_by_ip>

 #### 12.12.2021
-#### Version 15.0.1.0.0
+#### Version 16.0.1.0.0
 #### ADD Initial Commit for access_restriction_by_ip

 #### 12.09.2023
 #### Version 16.0.1.0.0
 #### Bug fixing related to addon's updates

-
-
+#### 25.03.2025
+#### Version 16.0.1.0.1
+#### Bug fixing related to addon's updates
+- The latest module included ip restriction when instance accessed through the mobile app.
--- a/access_restriction_by_ip/models/allowed_ips.py
+++ b/access_restriction_by_ip/models/allowed_ips.py
@ -27,6 +27,7 @@ class ResUsersInherit(models.Model):


 class AllowedIPs(models.Model):
+    """Model to store the allowed ip of the users"""
    _name = 'allowed.ips'

    users_ip = fields.Many2one('res.users', string='IP')