Odoo Addons (MOVED TO GITHUB)

[6.0] users_ldap does not set last login date and allows login of inactive users

Bug #784501 reported by Stéphane Bidoul (Acsone) on 2011-05-18

270

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	Odoo Addons (MOVED TO GITHUB)	Fix Released	Medium	OpenERP's Framework R&D	Odoo Addons (MOVED TO GITHUB) 6.1

Bug Description

Hello,

When using the users_ldap module, the last login date is not set for users authenticating against ldap.

Additionally, the active flag is not checked, allowing users that are marked inactive in the openerp database to login provided they have valid LDAP credentials.

Proposed patch attached.

Best regards,

-sbi

Related branches

lp:~openerp-community/openobject-addons/stefan-therp_lp794584

Merged into lp:openobject-addons at revision 5520

Olivier Dony (Odoo): Approve on 2011-08-18

Stefan Rijnhart (Opener) (community): Needs Resubmitting on 2011-07-27

lp:~credativ/openobject-addons/addons-syrup

Revision history for this message

Stéphane Bidoul (Acsone) (sbi) wrote on 2011-05-18:

Proposed patch Edit (756 bytes, text/plain)

Revision history for this message

Stéphane Bidoul (Acsone) (sbi) wrote on 2011-05-18:

Improved patch Edit (967 bytes, text/plain)

I attach an improved patch (the previous one was missing a commit).

Note that I've not tested the interaction with the create_users option. If create_user is set, when connecting as an inactive user, the system will attempt to create another user and it will fail due to the unique_key constraint on login.

Revision history for this message

Olivier Dony (Odoo) (odo-openerp) wrote on 2011-05-18:

Hello Stéphane,

Thanks for reporting and providing a patch! You're right about the bug, but I think the issue is greatly mitigated by the fact that if you are using LDAP authentication, you are supposed to manage the authentication policy at the LDAP level. OpenERP only delegates to it. So if you want to disable a user, you should do it at LDAP level. This is why I'm setting the importance to Medium.

However I agree it would be expected by most people that you can prevent a LDAP user from logging in by disabling it in OpenERP as well, so we should fix that.

No question for the last login date of course.

Now we'll have to improve the patch to handle the case where the user is disabled in OpenERP and not in LDAP, as you said, because I think the auto-creation would fail due to uniqueness of logins, leading to stranger errors.

Thanks!

Changed in openobject-addons:
assignee:	nobody → OpenERP's Framework R&D (openerp-dev-framework)
importance:	Undecided → Medium
status:	New → Confirmed

Naresh(OpenERP) (nch-openerp) on 2011-06-08

visibility:

private → public

Revision history for this message

Naresh(OpenERP) (nch-openerp) wrote on 2011-08-29:

seems to be fixed with lp~openerp-community/openobject-addons/stefan-therp_lp794584 marking it as fix commited.

Thanks

Changed in openobject-addons:
status:	Confirmed → Fix Committed

Revision history for this message

Olivier Dony (Odoo) (odo-openerp) wrote on 2011-11-08:

A fix for this issue is included in the recently merged branch from Stefan Rijnhart (Therp), which landed at revision 5520
revid: <email address hidden>.

Thanks for reporting and thanks to Stefan for the great work!

Changed in openobject-addons:
milestone:	none → 6.1
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.