From 317fe99c54b72f5309f42152b90afeb18efab12d Mon Sep 17 00:00:00 2001 From: Tom Date: Tue, 3 Dec 2024 16:35:20 +0100 Subject: [PATCH] [FIX] some permission problems; call super in order to have regular password reset flow intact --- auth_sms/models/res_users.py | 5 +-- auth_sms/models/sms_provider.py | 2 +- auth_sms/static/description/index.html | 11 +++--- .../controllers/auth_sms_auth_signup.py | 36 +++++++++++-------- .../static/description/index.html | 11 +++--- 5 files changed, 34 insertions(+), 31 deletions(-) diff --git a/auth_sms/models/res_users.py b/auth_sms/models/res_users.py index a3f6525e3..a1805c21d 100644 --- a/auth_sms/models/res_users.py +++ b/auth_sms/models/res_users.py @@ -100,7 +100,7 @@ def _auth_sms_send(self, user_id): request and request.session.sid, ) user = self.env["res.users"].browse(user_id) - self.env["auth_sms.code"].create( + self.env["auth_sms.code"].sudo().create( { "code": code, "user_id": user.id, @@ -109,7 +109,8 @@ def _auth_sms_send(self, user_id): ) if not user.sudo()._auth_sms_check_rate_limit(): raise AccessDeniedSmsRateLimit(_("SMS rate limit")) - if not self.env["sms.provider"].send_sms(user.mobile, code): + mobile = user.sudo().mobile + if not self.env["sms.provider"].send_sms(mobile, code): raise UserError(_("Sending SMS failed")) def _auth_sms_check_rate_limit(self): diff --git a/auth_sms/models/sms_provider.py b/auth_sms/models/sms_provider.py index 2f6d04276..c376f0533 100644 --- a/auth_sms/models/sms_provider.py +++ b/auth_sms/models/sms_provider.py @@ -39,7 +39,7 @@ def action_send_test(self): @api.model def send_sms(self, number, text, **kwargs): - provider = self.search([], limit=1) + provider = self.sudo().search([], limit=1) if not provider: return False _logger.debug( diff --git a/auth_sms/static/description/index.html b/auth_sms/static/description/index.html index 4ccb6d89c..349c0bfe9 100644 --- a/auth_sms/static/description/index.html +++ b/auth_sms/static/description/index.html @@ -8,11 +8,10 @@ /* :Author: David Goodger (goodger@python.org) -:Id: $Id: html4css1.css 9511 2024-01-13 09:50:07Z milde $ +:Id: $Id: html4css1.css 8954 2022-01-20 10:10:25Z milde $ :Copyright: This stylesheet has been placed in the public domain. Default cascading style sheet for the HTML output of Docutils. -Despite the name, some widely supported CSS2 features are used. See https://docutils.sourceforge.io/docs/howto/html-stylesheets.html for how to customize this style sheet. @@ -275,7 +274,7 @@ margin-left: 2em ; margin-right: 2em } -pre.code .ln { color: gray; } /* line numbers */ +pre.code .ln { color: grey; } /* line numbers */ pre.code, code { background-color: #eeeeee } pre.code .comment, code .comment { color: #5C6576 } pre.code .keyword, code .keyword { color: #3B0D06; font-weight: bold } @@ -301,7 +300,7 @@ span.pre { white-space: pre } -span.problematic, pre.problematic { +span.problematic { color: red } span.section-subtitle { @@ -461,9 +460,7 @@

Other credits

Maintainers

This module is maintained by the OCA.

- -Odoo Community Association - +Odoo Community Association

OCA, or the Odoo Community Association, is a nonprofit organization whose mission is to support the collaborative development of Odoo features and promote its widespread use.

diff --git a/auth_sms_auth_signup/controllers/auth_sms_auth_signup.py b/auth_sms_auth_signup/controllers/auth_sms_auth_signup.py index 6158bcbbc..eae904dd2 100644 --- a/auth_sms_auth_signup/controllers/auth_sms_auth_signup.py +++ b/auth_sms_auth_signup/controllers/auth_sms_auth_signup.py @@ -1,17 +1,22 @@ # Copyright 2019 Therp BV # License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl.html). +import logging +import traceback + from odoo import http from odoo.http import request from odoo.addons.auth_signup.controllers.main import AuthSignupHome +_logger = logging.getLogger(__name__) + class AuthSmsAuthSignup(AuthSignupHome): @http.route() def web_auth_reset_password(self, *args, **kw): qcontext = self.get_auth_signup_qcontext() if not qcontext.get("token") or qcontext.get("error"): - return super(AuthSmsAuthSignup, self).web_auth_reset_password(*args, **kw) + return super().web_auth_reset_password(*args, **kw) partner = ( request.env["res.partner"] .sudo() @@ -20,21 +25,24 @@ def web_auth_reset_password(self, *args, **kw): ) ) user = partner.user_ids[:1] - if request.httprequest.method == "POST" and kw.get("auth_sms_request_code"): - try: - request.env["res.users"].sudo()._auth_sms_send(user.id) - qcontext["auth_sms_code_requested"] = True - except Exception as e: - qcontext["error"] = e.message or e - elif request.httprequest.method == "POST" and kw.get("auth_sms_code"): + if request.httprequest.method == "POST" and kw.get("auth_sms_code"): request.session["auth_sms.code"] = kw["auth_sms_code"] try: - user.sudo(user)._auth_sms_check_credentials() + user.with_user(user)._auth_sms_check_credentials() except Exception as e: del request.session["auth_sms.code"] - qcontext["error"] = e.message if hasattr(e, "message") else str(e) + qcontext["error"] = str(e) + _logger.error(traceback.format_exc()) if request.session.get("auth_sms.code"): - return super(AuthSmsAuthSignup, self).web_auth_reset_password( - *args, **kw - ) - return request.render("auth_signup.reset_password", qcontext) + return super().web_auth_reset_password(*args, **kw) + return request.render("auth_signup.reset_password", qcontext) + elif request.httprequest.method == "POST" and kw.get("auth_sms_request_code"): + try: + request.env["res.users"].sudo()._auth_sms_send(user.id) + qcontext["auth_sms_code_requested"] = True + except Exception as e: + qcontext["error"] = str(e) + _logger.error(traceback.format_exc()) + return request.render("auth_signup.reset_password", qcontext) + + return super().web_auth_reset_password(*args, **kw) diff --git a/auth_sms_auth_signup/static/description/index.html b/auth_sms_auth_signup/static/description/index.html index 1f3924d09..8ce8802bd 100644 --- a/auth_sms_auth_signup/static/description/index.html +++ b/auth_sms_auth_signup/static/description/index.html @@ -8,11 +8,10 @@ /* :Author: David Goodger (goodger@python.org) -:Id: $Id: html4css1.css 9511 2024-01-13 09:50:07Z milde $ +:Id: $Id: html4css1.css 8954 2022-01-20 10:10:25Z milde $ :Copyright: This stylesheet has been placed in the public domain. Default cascading style sheet for the HTML output of Docutils. -Despite the name, some widely supported CSS2 features are used. See https://docutils.sourceforge.io/docs/howto/html-stylesheets.html for how to customize this style sheet. @@ -275,7 +274,7 @@ margin-left: 2em ; margin-right: 2em } -pre.code .ln { color: gray; } /* line numbers */ +pre.code .ln { color: grey; } /* line numbers */ pre.code, code { background-color: #eeeeee } pre.code .comment, code .comment { color: #5C6576 } pre.code .keyword, code .keyword { color: #3B0D06; font-weight: bold } @@ -301,7 +300,7 @@ span.pre { white-space: pre } -span.problematic, pre.problematic { +span.problematic { color: red } span.section-subtitle { @@ -416,9 +415,7 @@

Other credits

Maintainers

This module is maintained by the OCA.

- -Odoo Community Association - +Odoo Community Association

OCA, or the Odoo Community Association, is a nonprofit organization whose mission is to support the collaborative development of Odoo features and promote its widespread use.