[16.0][MIG/IMP] password_security #482
Conversation
astirpe
force-pushed
the
16_mig_password_security
branch
3 times, most recently
from
da0bc38 to
567ba27
Compare
|
@astirpe Nice job; tremendous amount of work. It feels like it should be six pull requests. If you would be willing to break it up, I'd be willing to review all the parts. I think it's a bit dangerous to do it all in one go, especially with the unit tests being rewritten. How would you feel about fixing each of the items you marked for back-porting in 15.0 as separate pull requests and getting those merged first, so that your migration commit isn't quite so expansive? |
astirpe
force-pushed
the
16_mig_password_security
branch
from
567ba27 to
fc7b216
Compare
|
@amh-mw, yes that's a good idea! I backported two of the fixes: #491 (constraint of password_estimate range) and #492 (Reset Password issue) The fix for #89 is the one already discussed in #448 and that's still an open PR. The fix for #141 is just a consequence of the complete rewrite of the mocked tests. For the rest, I don't think the other points should be backported to V15. |
astirpe
force-pushed
the
16_mig_password_security
branch
from
fc7b216 to
1d6eb79
Compare
I think it would make more sense to rebase against 15.0 afterwards, so that you just have the one migration commit. |
astirpe
force-pushed
the
16_mig_password_security
branch
3 times, most recently
from
9155e59 to
6eab9a5
Compare
| "Characters", | ||
| default=12, | ||
| help="Minimum number of characters", | ||
| ) |
There was a problem hiding this comment.
Do you need to provide a migration for this field? Maybe something like:
ICP = self.env['ir.config_parameter']
ICP.set_param('auth_password_policy.minlength', max(
ICP.get_param('auth_password_policy.minlength'),
*self.env['res.company'].search([]).mapped('password_length'))
))
There was a problem hiding this comment.
Yes, seems a good idea 👍 Thanks!
There was a problem hiding this comment.
Implemented. Migration tests could be executed locally by adding password_length = fields.Integer(default=12) to res.company
| @@ -14,10 +14,10 @@ | |||
| <field name="arch" type="xml"> | |||
| <!-- We hide Odoo's minlength sections so it does not create confusion --> | |||
| <xpath expr="//label[@for='minlength']/../.." position="attributes"> | |||
| <attribute name="style">display: none</attribute> | |||
| <attribute name="invisible">1</attribute> | |||
There was a problem hiding this comment.
Seems weird to continue to hide minlength now that it has been adopted over password_length.
There was a problem hiding this comment.
It's just because I wanted to embed the minlength inside the group of fields "Password Policy"
server-auth/password_security/views/res_config_settings_views.xml
Lines 53 to 57 in 6eab9a5
This way it looks&feels better, otherwise the minlength will stay detached from the rest of the fields.
There was a problem hiding this comment.
How about instead of removing the entire box that contains the label, we reuse it? There might have been some customization within the settings box that gets removed otherwise.
Something like this?
<!-- Remove label for uniform styling -->
<xpath expr="//label[@for='minlength']" position="replace"/>
<!-- Add an id for easier lookup -->
<xpath expr="//field[@name='minlength']/ancestor::div[hasclass('o_setting_box')]" position="attributes">
<attribute name="id">password_policy</attribute>
</xpath>
<!-- Move the settings box to desired location -->
<xpath expr="//div[@id='enable_password_reset']" position="after">
<xpath expr="//div[@id='password_policy']" position="move"/>
</xpath>
<!-- Ensure our settings will come before any former customization -->
<xpath expr="//div[@id='password_policy']//div[hasclass('o_setting_right_pane')]/*" position="before">
<!-- Add all the settings here -->
<span id="minlength">
Minimum number of characters
</span>
</xpath>
<!-- Add oe_inline attribute to minlength -->
<xpath expr="//field[@name='minlength']" position="attributes">
<attribute name="class">oe_inline</attribute>
</xpath>
<!-- Move the minlength field to desired location -->
<xpath expr="//span[@id='minlength']" position="inside">
<xpath expr="//field[@name='minlength']" position="move"/>
</xpath>
It might seem like a lot of work, but I personally feel like we should try to minimize making nodes disappear
There was a problem hiding this comment.
Yes thanks! Done in b72dde1, would you check?
There was a problem hiding this comment.
Looks mostly good to me! There's the comment that still says
I don't know if you wanted the password_security settings to come before or after the previous nodes.
astirpe
force-pushed
the
16_mig_password_security
branch
2 times, most recently
from
4e7f7cf to
b6ed288
Compare
|
No idea why OCB test now fails. Maybe a temporary glitch? |
|
@astirpe Could you rebase from 16.0 to resolve the conflicts? |
astirpe
force-pushed
the
16_mig_password_security
branch
from
fe8f04b to
1f3bb89
Compare
|
Still test in OCB failing, I cannot even reproduce the failure with OCB locally. |
* [ADD] res_users_password_security: New module * Create new module to lock down user passwords * [REF] res_users_password_security: PR Review fixes * Also add beta pass history rule * [ADD] res_users_password_security: Pass history and min time * Add pass history memory and threshold * Add minimum time for pass resets through web reset * Begin controller tests * Fix copyright, wrong year for new file * Add tests for password_security_home * Left to do web_auth_reset_password * Fix minimum reset threshold and finish tests * Bug fixes per review * [REF] password_security: PR review improvements * Change tech name to password_security * Use new except format * Limit 1 & new api * Cascade deletion for pass history * [REF] password_security: Fix travis + style * Fix travis errors * self to cls * Better variable names in tests * [FIX] password_security: Fix travis errors
* Bump versions * Installable to True * Add Usage section to ReadMe w/ Runbot link * `_crypt_context` now directly exposes the `CryptContext` * Change all instances of openerp to odoo
* Add current time as password_write_date for admin user in demo, disabling the reset prompt - fixes OCA#652
* Switch security to be on correct model to fix OCA#674
…ord invalid (#859) * [FIX] password_security: Fix password stored * [REF] password_security: use a unified check_password private method to validate rules and history password
astirpe
force-pushed
the
16_mig_password_security
branch
2 times, most recently
from
00def53 to
bd08c50
Compare
astirpe
force-pushed
the
16_mig_password_security
branch
2 times, most recently
from
58adcf5 to
a00ab39
Compare
|
After upgrade and enter Settings gives the following error with the refactor: RPC_ERROR The above server error caused the following client error: |
|
@cmarrero if you are getting the error in a production server I would suggest you to restore the old code (before the config settings refactoring). Instead if you are on a test server you can try this:
|
|
I just found out that when a new user is trying to signup by entering a very large password, there is a critical performance issue. Probably that's also the reason of #487 but I didn't investigate in deep that issue. So I'm going to remove the password estimate check functionality from this module and also remove the dependency on I hope is ok with you all. |
astirpe
force-pushed
the
16_mig_password_security
branch
from
b0ac344 to
c8d5d68
Compare
|
Are there any updates on this PR? Or is it good to go? |
|
Would be good for me if this PR gets merged soon |
Co-authored-by: Dawn Hwang <[email protected]>
|
Ready to migrate ? |
|
Hello, is there anything left to do before merging? I could help with any tasks left. |
|
/ocabot migration password_security /ocabot merge nobump |
|
What a great day to merge this nice PR. Let's do it! |
|
Congratulations, your PR was merged at 283776a. Thanks a lot for contributing to OCA. ❤️ |
Syncing from upstream OCA/server-auth (16.0)
Together with the module migration, I'm proposing a revised version of the module:
password_lengthwith standard fieldminlength, to avoid incompatibility with standard moduleauth_password_policy_portalpassword_securitymodule throws warning during tests #141