diff --git a/access_restriction_by_ip/__manifest__.py b/access_restriction_by_ip/__manifest__.py index 27f722010..e395a7871 100644 --- a/access_restriction_by_ip/__manifest__.py +++ b/access_restriction_by_ip/__manifest__.py @@ -18,7 +18,7 @@ { 'name': 'Access Restriction By IP', 'summary': """User Can Access His Account Only From Specified IP Address""", - 'version': '16.0.1.0.0', + 'version': '16.0.1.0.1', 'description': """User Can Access His Account Only From Specified IP Address""", 'live_test_url': 'https://youtu.be/nn6dAL6eKPc', 'author': 'Cybrosys Techno Solutions', diff --git a/access_restriction_by_ip/controllers/__init__.py b/access_restriction_by_ip/controllers/__init__.py index 1939c6696..3bc07e3eb 100644 --- a/access_restriction_by_ip/controllers/__init__.py +++ b/access_restriction_by_ip/controllers/__init__.py @@ -17,4 +17,4 @@ # ############################################################################## from . import main - +from . import session diff --git a/access_restriction_by_ip/controllers/main.py b/access_restriction_by_ip/controllers/main.py index 5ce271a19..c6cc7d490 100644 --- a/access_restriction_by_ip/controllers/main.py +++ b/access_restriction_by_ip/controllers/main.py @@ -39,7 +39,6 @@ class Home(home.Home): request.params['login_success'] = False if request.httprequest.method == 'GET' and redirect and request.session.uid: return request.redirect(redirect) - # simulate hybrid auth=user/auth=public, despite using auth=none to be able # to redirect users when no db is selected - cfr ensure_db() if request.env.uid is None: @@ -49,7 +48,6 @@ class Home(home.Home): else: # auth=user request.update_env(user=request.session.uid) - values = {k: v for k, v in request.params.items() if k in SIGN_UP_REQUEST_PARAMS} try: values['databases'] = http.db_list() @@ -103,7 +101,6 @@ class Home(home.Home): if not odoo.tools.config['list_db']: values['disable_database_manager'] = True - response = request.render('web.login', values) response.headers['X-Frame-Options'] = 'SAMEORIGIN' response.headers['Content-Security-Policy'] = "frame-ancestors 'self'" diff --git a/access_restriction_by_ip/controllers/session.py b/access_restriction_by_ip/controllers/session.py new file mode 100644 index 000000000..4167bf8ad --- /dev/null +++ b/access_restriction_by_ip/controllers/session.py @@ -0,0 +1,39 @@ +# -*- coding: utf-8 -*- + +import odoo +from odoo.addons.web.controllers.session import Session +from odoo import http +from odoo.exceptions import AccessError +from odoo.http import request + + +class AccessRestrict(Session): + @http.route() + def authenticate(self, db, login, password, base_location=None): + if not http.db_filter([db]): + raise AccessError("Database not found.") + pre_uid = request.session.authenticate(db, login, password) + ip_address = request.httprequest.environ['REMOTE_ADDR'] + user = request.env['res.users'].sudo().browse(pre_uid).exists() + if user and user.allowed_ips: + ip_list = set(user.allowed_ips.mapped('ip_address')) + if ip_address not in ip_list: + raise AccessError("Not allowed to login from this IP") + if pre_uid != request.session.uid: + # Crapy workaround for unupdatable Odoo Mobile App iOS (Thanks Apple :@) and Android + # Correct behavior should be to raise AccessError("Renewing an expired session for user that has multi-factor-authentication is not supported. Please use /web/login instead.") + return {'uid': None} + + request.session.db = db + registry = odoo.modules.registry.Registry(db) + with registry.cursor() as cr: + env = odoo.api.Environment(cr, request.session.uid, request.session.context) + if not request.db: + # request._save_session would not update the session_token + # as it lacks an environment, rotating the session myself + http.root.session_store.rotate(request.session, env) + request.future_response.set_cookie( + 'session_id', request.session.sid, + max_age=http.SESSION_LIFETIME, httponly=True + ) + return env['ir.http'].session_info() \ No newline at end of file diff --git a/access_restriction_by_ip/doc/RELEASE_NOTES.md b/access_restriction_by_ip/doc/RELEASE_NOTES.md index 7d9ae3cf2..abadd7023 100644 --- a/access_restriction_by_ip/doc/RELEASE_NOTES.md +++ b/access_restriction_by_ip/doc/RELEASE_NOTES.md @@ -1,12 +1,14 @@ ## Module #### 12.12.2021 -#### Version 15.0.1.0.0 +#### Version 16.0.1.0.0 #### ADD Initial Commit for access_restriction_by_ip #### 12.09.2023 #### Version 16.0.1.0.0 #### Bug fixing related to addon's updates - - +#### 25.03.2025 +#### Version 16.0.1.0.1 +#### Bug fixing related to addon's updates +- The latest module included ip restriction when instance accessed through the mobile app. \ No newline at end of file diff --git a/access_restriction_by_ip/models/allowed_ips.py b/access_restriction_by_ip/models/allowed_ips.py index 105e2a2f3..9fed7da38 100644 --- a/access_restriction_by_ip/models/allowed_ips.py +++ b/access_restriction_by_ip/models/allowed_ips.py @@ -27,6 +27,7 @@ class ResUsersInherit(models.Model): class AllowedIPs(models.Model): + """Model to store the allowed ip of the users""" _name = 'allowed.ips' users_ip = fields.Many2one('res.users', string='IP')