[MERGE] merge with latest stable

[odoo/odoo.git] / addons / base_crypt / crypt.py

diff --git a/addons/base_crypt/crypt.py b/addons/base_crypt/crypt.py
index 9f437ac..a616b7e 100644 (file)
--- a/addons/base_crypt/crypt.py
+++ b/addons/base_crypt/crypt.py
@@ -41,6 +41,7 @@ from string import ascii_letters, digits
 from osv import fields,osv
 import pooler
 from tools.translate import _
+from service import security
 
 magic_md5 = '$1$'
 
@@ -184,7 +185,7 @@ class users(osv.osv):
                 cr.close()
 
     def _login(self, cr, db, login, password):
-        cr.execute( 'SELECT password, id FROM res_users WHERE login=%s',
+        cr.execute( 'SELECT password, id FROM res_users WHERE login=%s AND active',
             (login.encode('utf-8'),))
 
         if cr.rowcount:
@@ -220,6 +221,10 @@ class users(osv.osv):
             return False
 
     def check(self, db, uid, passwd):
+        if not passwd:
+            # empty passwords disallowed for obvious security reasons
+            raise security.ExceptionNoTb('AccessDenied')
+
         # Get a chance to hash all passwords in db before using the uid_cache.
         obj = pooler.get_pool(db).get('res.users')
         if not hasattr(obj, "_salt_cache"):
@@ -245,7 +250,7 @@ class users(osv.osv):
                     raise security.ExceptionNoTb('AccessDenied')
             else:
                 salt = self._salt_cache[db][uid]
-                cr.execute('SELECT COUNT(*) FROM res_users WHERE id=%s AND password=%s', 
+                cr.execute('SELECT COUNT(*) FROM res_users WHERE id=%s AND password=%s AND active', 
                     (int(uid), encrypt_md5(passwd, salt)))
                 res = cr.fetchone()[0]
         finally: