New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[IMP] Allow the administator to forbid passwords that contain the login. #1494
Conversation
6dd9f34
to
7fcd317
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 Tested and LGTM
Why Travis is red? |
It seems there are now some tests that fail that assume login's could be the same. Ais is true of course by default for admin and demo in demo. Probably some additional code is needed that suspends these checks for the relevant users, but of course only when testing (not to re-introduce the security hole, this PR intents to stop). |
You could add a demo data file that disables that check in demo envs. |
@daramousk I think the most easy thing to do is either:
|
Yes, I meant that. I think option 2 is better because |
1d699cf
to
1afcc8e
Compare
fd1b853
to
9f30584
Compare
@NL66278 Ok I tried figuring out whether this module breaks the tests on |
Odoo broke that test, and possibly lots of others, with odoo/odoo#30768. I'm investigating its fix. |
@daramousk the module auth_brute_force tests with passwords that contain the login. That should be rectified to be fully compatible with password_security. I had made a fix that I wanted to submit as a PR on your branch, but unfortunately I can not make PR's on your repo anymore. See patch.
|
41bac8c
to
21b897e
Compare
21b897e
to
5d98fbf
Compare
@hbrunn Maybe I could get a review here so that this can be merged as well. |
This PR has the |
def setUp(cls): | ||
super(TestResUsers, cls).setUp() | ||
cls.main_comp = cls.env.ref('base.main_company') | ||
def setUp(self): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that the fix is wrong. Instead of changing all cls
for self
, you should change setUp
for setUpClass
.
This benefits from SavepointCase
and speeds up tests.
Another option would be to switch for a TransactionCase
instead.
<odoo> | ||
|
||
<record id="base.main_company" model="res.company"> | ||
<field name="password_no_login">False</field> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
<field name="password_no_login">False</field> | |
<field name="password_no_login" eval="False"/> |
4c0c4bd
to
5d98fbf
Compare
@NL66278 Yes indeed, I have reverted that |
@hbrunn Ping for this one that has not been merged yet. |
hello @pedrobaeza , |
Please check comment from @yajo |
There hasn't been any activity on this pull request in the past 4 months, so it has been marked as stale and it will be closed automatically if no further activity occurs in the next 30 days. |
@NL66278