[FIX] security issue: avoid access to inactive users

[FIX] security issue: avoid access with 'None' password (Thanks to P. Christeas for the bug report)

bzr revid: christophe@tinyerp.com-20090813111224-f05a3z5i0wvewy85

diff --git a/bin/service/security.py b/bin/service/security.py
index 3a4c3c8..5c9e919 100644 (file)
--- a/bin/service/security.py
+++ b/bin/service/security.py
@@ -45,13 +45,14 @@ def check_super(passwd):
         raise Exception('AccessDenied')
 
 def check(db, uid, passwd):
-    if _uid_cache.get(db, {}).get(uid) == passwd:
+    cached_pass = _uid_cache.get(db, {}).get(uid)
+    if (cached_pass is not None) and cached_pass == passwd:
         return True
     cr = pooler.get_db(db).cursor()
     if passwd:
-        cr.execute('select count(*) from res_users where id=%s and password=%s', (int(uid), passwd))
+        cr.execute('select count(1) from res_users where id=%s and password=%s and active=%s', (int(uid), passwd, True))
     else:
-        cr.execute('select count(*) from res_users where id=%s and password is null', (int(uid),))    
+        cr.execute('select count(1) from res_users where id=%s and password is null and active=%s', (int(uid), True))    
     res = cr.fetchone()[0]
     cr.close()
     if not bool(res):