You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
214 lines
8.3 KiB
214 lines
8.3 KiB
# -*- coding: utf-8 -*-
|
|
#############################################################################
|
|
#
|
|
# Cybrosys Technologies Pvt. Ltd.
|
|
#
|
|
# Copyright (C) 2019-TODAY Cybrosys Technologies(<https://www.cybrosys.com>)
|
|
# Author: Milind Mohan(<https://www.cybrosys.com>)
|
|
#
|
|
# You can modify it under the terms of the GNU LESSER
|
|
# GENERAL PUBLIC LICENSE (LGPL v3), Version 3.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU LESSER GENERAL PUBLIC LICENSE (LGPL v3) for more details.
|
|
#
|
|
# You should have received a copy of the GNU LESSER GENERAL PUBLIC LICENSE
|
|
# (LGPL v3) along with this program.
|
|
# If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
#############################################################################
|
|
|
|
import os
|
|
|
|
import werkzeug
|
|
import werkzeug.contrib.sessions
|
|
import werkzeug.datastructures
|
|
import werkzeug.exceptions
|
|
import werkzeug.local
|
|
import werkzeug.routing
|
|
import werkzeug.wrappers
|
|
import werkzeug.wsgi
|
|
from odoo.addons.web.controllers import main
|
|
|
|
import odoo
|
|
import odoo.modules.registry
|
|
from odoo import SUPERUSER_ID
|
|
from odoo import http
|
|
from odoo.exceptions import AccessError
|
|
from odoo.http import Response
|
|
from odoo.http import request
|
|
from odoo.service import security
|
|
from odoo.tools.translate import _
|
|
|
|
|
|
def clear_session_history(u_sid, f_uid=False):
|
|
""" Clear all the user session histories for a particular user """
|
|
path = odoo.tools.config.session_dir
|
|
store = werkzeug.contrib.sessions.FilesystemSessionStore(
|
|
path, session_class=odoo.http.OpenERPSession, renew_missing=True)
|
|
session_fname = store.get_session_filename(u_sid)
|
|
try:
|
|
os.remove(session_fname)
|
|
return True
|
|
except OSError:
|
|
pass
|
|
return False
|
|
|
|
|
|
def super_clear_all():
|
|
""" Clear all the user session histories """
|
|
path = odoo.tools.config.session_dir
|
|
store = werkzeug.contrib.sessions.FilesystemSessionStore(
|
|
path, session_class=odoo.http.OpenERPSession, renew_missing=True)
|
|
for fname in os.listdir(store.path):
|
|
path = os.path.join(store.path, fname)
|
|
try:
|
|
os.unlink(path)
|
|
except OSError:
|
|
pass
|
|
return True
|
|
|
|
|
|
class Session(main.Session):
|
|
@http.route('/web/session/logout', type='http', auth="none")
|
|
def logout(self, redirect='/web'):
|
|
user = request.env['res.users'].with_user(1).search(
|
|
[('id', '=', request.session.uid)])
|
|
# clear user session
|
|
user._clear_session()
|
|
request.session.logout(keep_db=True)
|
|
return werkzeug.utils.redirect(redirect, 303)
|
|
|
|
@http.route('/clear_all_sessions', type='http', auth="none")
|
|
def logout_all(self, redirect='/web', f_uid=False):
|
|
""" Log out from all the sessions of the current user """
|
|
if f_uid:
|
|
user = request.env['res.users'].with_user(1).browse(int(f_uid))
|
|
if user:
|
|
# clear session session file for the user
|
|
session_cleared = clear_session_history(user.sid, f_uid)
|
|
if session_cleared:
|
|
# clear user session
|
|
user._clear_session()
|
|
request.session.logout(keep_db=True)
|
|
return werkzeug.utils.redirect(redirect, 303)
|
|
|
|
@http.route('/super/logout_all', type='http', auth="none")
|
|
def super_logout_all(self, redirect='/web'):
|
|
""" Log out from all the sessions of all the users """
|
|
users = request.env['res.users'].with_user(1).search([])
|
|
for user in users:
|
|
# clear session session file for the user
|
|
session_cleared = super_clear_all()
|
|
if session_cleared:
|
|
# clear user session
|
|
user._clear_session()
|
|
request.session.logout(keep_db=True)
|
|
return werkzeug.utils.redirect(redirect, 303)
|
|
|
|
|
|
class Home(main.Home):
|
|
|
|
@http.route('/web/login', type='http', auth="none")
|
|
def web_login(self, redirect=None, **kw):
|
|
main.ensure_db()
|
|
request.params['login_success'] = False
|
|
if request.httprequest.method == 'GET' and redirect and request.session.uid:
|
|
return http.redirect_with_hash(redirect)
|
|
|
|
if not request.uid:
|
|
request.uid = odoo.SUPERUSER_ID
|
|
|
|
values = request.params.copy()
|
|
try:
|
|
values['databases'] = http.db_list()
|
|
except odoo.exceptions.AccessDenied:
|
|
values['databases'] = None
|
|
|
|
if request.httprequest.method == 'POST':
|
|
old_uid = request.uid
|
|
try:
|
|
uid = request.session.authenticate(request.session.db,
|
|
request.params['login'],
|
|
request.params['password'])
|
|
request.params['login_success'] = True
|
|
return http.redirect_with_hash(
|
|
self._login_redirect(uid, redirect=redirect))
|
|
except odoo.exceptions.AccessDenied as e:
|
|
failed_uid = request.uid
|
|
request.uid = old_uid
|
|
if e.args == odoo.exceptions.AccessDenied().args:
|
|
values['error'] = _("Wrong login/password")
|
|
elif e.args[0] == "already_logged_in":
|
|
values['error'] = "User already logged in. Log out from " \
|
|
"other devices and try again."
|
|
values['logout_all'] = True
|
|
values[
|
|
'failed_uid'] = failed_uid if failed_uid != SUPERUSER_ID else False
|
|
else:
|
|
values['error'] = e.args[0]
|
|
else:
|
|
if 'error' in request.params and request.params.get(
|
|
'error') == 'access':
|
|
values['error'] = _('Only employee can access this database. '
|
|
'Please contact the administrator.')
|
|
|
|
if 'login' not in values and request.session.get('auth_login'):
|
|
values['login'] = request.session.get('auth_login')
|
|
|
|
if not odoo.tools.config['list_db']:
|
|
values['disable_database_manager'] = True
|
|
|
|
response = request.render('web.login', values)
|
|
response.headers['X-Frame-Options'] = 'DENY'
|
|
return response
|
|
|
|
|
|
class RootExt(odoo.http.Root):
|
|
|
|
def get_response(self, httprequest, result, explicit_session):
|
|
if isinstance(result, Response) and result.is_qweb:
|
|
try:
|
|
result.flatten()
|
|
except Exception as e:
|
|
if request.db:
|
|
result = request.registry['ir.http']._handle_exception(e)
|
|
else:
|
|
raise
|
|
|
|
if isinstance(result, (bytes, str)):
|
|
response = Response(result, mimetype='text/html')
|
|
else:
|
|
response = result
|
|
|
|
save_session = (not request.endpoint) or request.endpoint.routing.get(
|
|
'save_session', True)
|
|
if not save_session:
|
|
return response
|
|
|
|
if httprequest.session.should_save:
|
|
if httprequest.session.rotate:
|
|
self.session_store.delete(httprequest.session)
|
|
httprequest.session.sid = self.session_store.generate_key()
|
|
if httprequest.session.uid:
|
|
httprequest.session.session_token = security.compute_session_token(
|
|
httprequest.session, request.env)
|
|
httprequest.session.modified = True
|
|
self.session_store.save(httprequest.session)
|
|
# We must not set the cookie if the session id was specified using a http header or a GET parameter.
|
|
# There are two reasons to this:
|
|
# - When using one of those two means we consider that we are overriding the cookie, which means creating a new
|
|
# session on top of an already existing session and we don't want to create a mess with the 'normal' session
|
|
# (the one using the cookie). That is a special feature of the Session Javascript class.
|
|
# - It could allow session fixation attacks.
|
|
if not explicit_session and hasattr(response, 'set_cookie'):
|
|
response.set_cookie('session_id', httprequest.session.sid,
|
|
max_age=60 * 60, httponly=True)
|
|
|
|
return response
|
|
|
|
|
|
root = RootExt()
|
|
odoo.http.Root.get_response = root.get_response
|
|
|