from osv import fields,osv
import pooler
from tools.translate import _
+from service import security
magic_md5 = '$1$'
cr.close()
def _login(self, cr, db, login, password):
- cr.execute( 'SELECT password, id FROM res_users WHERE login=%s',
+ cr.execute( 'SELECT password, id FROM res_users WHERE login=%s AND active',
(login.encode('utf-8'),))
if cr.rowcount:
return False
def check(self, db, uid, passwd):
+ if not passwd:
+ # empty passwords disallowed for obvious security reasons
+ raise security.ExceptionNoTb('AccessDenied')
+
# Get a chance to hash all passwords in db before using the uid_cache.
obj = pooler.get_pool(db).get('res.users')
if not hasattr(obj, "_salt_cache"):
raise security.ExceptionNoTb('AccessDenied')
else:
salt = self._salt_cache[db][uid]
- cr.execute('SELECT COUNT(*) FROM res_users WHERE id=%s AND password=%s',
+ cr.execute('SELECT COUNT(*) FROM res_users WHERE id=%s AND password=%s AND active',
(int(uid), encrypt_md5(passwd, salt)))
res = cr.fetchone()[0]
finally: