[FIX] security issue: avoid access to inactive users

[FIX] security issue: avoid access with 'None' password (Thanks to P. Christeas for the bug report) bzr revid: christophe@tinyerp.com-20090813111224-f05a3z5i0wvewy85

[FIX] security issue: avoid access to inactive users
06c062e6 · Christophe Simonis · e0a62de1 · 06c062e6
Commit 06c062e6 authored 15 years ago by Christophe Simonis
--- a/bin/service/security.py
+++ b/bin/service/security.py
@@ -45,13 +45,14 @@ def check_super(passwd):
        raise Exception('AccessDenied')

 def check(db, uid, passwd):
-    if _uid_cache.get(db, {}).get(uid) == passwd:
+    cached_pass = _uid_cache.get(db, {}).get(uid)
+    if (cached_pass is not None) and cached_pass == passwd:
        return True
    cr = pooler.get_db(db).cursor()
    if passwd:
-        cr.execute('select count(*) from res_users where id=%s and password=%s', (int(uid), passwd))
+        cr.execute('select count(1) from res_users where id=%s and password=%s and active=%s', (int(uid), passwd, True))
    else:
-        cr.execute('select count(*) from res_users where id=%s and password is null', (int(uid),))    
+        cr.execute('select count(1) from res_users where id=%s and password is null and active=%s', (int(uid), True))    
    res = cr.fetchone()[0]
    cr.close()
    if not bool(res):