[MIG] auth_brute_force: Migration to 10.0 #877
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pedrobaeza
requested changes
Jun 28, 2017
Member
pedrobaeza
left a comment
pedrobaeza
left a comment
There was a problem hiding this comment.
Tried also on runbot with a non correct behavior:
- Login n times until I reach the limit.
- On last attempt, it gets me to an incorrect "Internal Server Error", and no banned remote is written.
- Then, I'm able to login again with correct credentials.
auth_brute_force/README.rst
Outdated
|
|
||
| * Authentication failed from remote '127.0.0.1'. Login tried : 'admin'. | ||
| Attempt 1 / 10. | ||
| Attempt 1 / 10. |
Member
There was a problem hiding this comment.
Why do you remove indentation? This provokes an incorrect RST syntax. It was correct as it was.
Member
Author
There was a problem hiding this comment.
Seem like my editor tried somehow to re-indent it...
auth_brute_force/README.rst
Outdated
| Known issues / Roadmap | ||
| ====================== | ||
|
|
||
| The ID used to identify a remote request is the IP provided in the request |
Member
There was a problem hiding this comment.
Put * and indent the rest of the lines.
auth_brute_force/README.rst
Outdated
| of the user can be wrong, and mainly in the following cases: | ||
|
|
||
| * if the Odoo server is behind an Apache / NGinx proxy without redirection, | ||
| all the request will be have the value '127.0.0.1' for the REMOTE_ADDR key; |
auth_brute_force/README.rst
Outdated
| * if the Odoo server is behind an Apache / NGinx proxy without redirection, | ||
| all the request will be have the value '127.0.0.1' for the REMOTE_ADDR key; | ||
| * If some users are behind the same Internet Service Provider, if a user is | ||
| banned, all the other users will be banned too; |
auth_brute_force/__manifest__.py
Outdated
| 'category': 'Tools', | ||
| 'summary': "Tracks Authentication Attempts and Prevents Brute-force" | ||
| " Attacks module", | ||
| 'author': "GRAP,Odoo Community Association (OCA)", |
| <openerp> | ||
| <!-- Copyright 2015 GRAP -Sylvain LE GAL | ||
| License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl). --> | ||
| <odoo> |
Member
There was a problem hiding this comment.
Put directly <odoo noupdate="1">
pedrobaeza
reviewed
Jun 28, 2017
| "Authentication failed from remote '%s'. " | ||
| "The remote has been banned. Login tried : '%s'" | ||
| "." % (remote, request.params['login'])) | ||
| banned_remote_obj.create(cursor, SUPERUSER_ID, { |
Member
There was a problem hiding this comment.
You haven't converted this to new API (banned_remote_obj.sudo().create({ ... }))
Garamotte
suggested changes
Jun 28, 2017
| @@ -0,0 +1,77 @@ | |||
| # -*- coding: utf-8 -*- | |||
| attempt_obj = env['res.authentication.attempt'] | ||
| banned_remote_obj = env['res.banned.remote'] | ||
| # Get Settings | ||
| max_attempts_qty = int(config_obj.search_read( |
There was a problem hiding this comment.
Use config_obj.get_param('auth_brute_force.max_attempt_qty') instead of search_read.
| request.session.db, request.params['login'], | ||
| request.params['password']) | ||
| # Log attempt | ||
| cursor.commit() |
There was a problem hiding this comment.
There is a commit just after the next instruction, is this commit really needed ?
Member
Author
There was a problem hiding this comment.
Yes. It seems that it's not neccesary.
| <!-- Copyright 2015 GRAP -Sylvain LE GAL | ||
| License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl). --> | ||
| <odoo> | ||
| <data noupdate="1"> |
There was a problem hiding this comment.
Remove the data node and include the noupdate attribute in the odoo node.
| string='Description', compute='_compute_description', store=True) | ||
|
|
||
| ban_date = fields.Datetime( | ||
| string='Ban Date', required=True, default=_default_ban_date) |
| def _compute_attempt_ids(self): | ||
| for item in self: | ||
| attempt_obj = self.env['res.authentication.attempt'] | ||
| item.attempt_ids = attempt_obj.search_last_failed(item.remote).ids |
There was a problem hiding this comment.
You can remove the trailing .ids, Odoo allows you to assign a recordset.
Member
Author
|
@pedrobaeza @sylvain-garancher I coded your suggestions and tested functionally in local. |
pedrobaeza
approved these changes
Jun 29, 2017
chienandalu
force-pushed
the
10.0-mig-auth_brute_force
branch
from
5ac1662 to
18f4dee
Compare
Garamotte
approved these changes
Jun 30, 2017
pedrobaeza
force-pushed
the
10.0-mig-auth_brute_force
branch
from
18f4dee to
e91bdfb
Compare
yajo
pushed a commit
to Tecnativa/server-auth
that referenced
this pull request
May 22, 2018
nikunjantala
pushed a commit
to Nitrokey/odoo-server-auth
that referenced
this pull request
Sep 5, 2022
nikunjantala
pushed a commit
to Nitrokey/odoo-server-auth
that referenced
this pull request
Sep 28, 2022
nikunjantala
pushed a commit
to Nitrokey/odoo-server-auth
that referenced
this pull request
Oct 10, 2022
dsolanki-initos
pushed a commit
to Nitrokey/odoo-server-auth
that referenced
this pull request
Nov 30, 2022
SiesslPhillip
pushed a commit
to grueneerde/OCA-server-tools
that referenced
this pull request
Nov 20, 2024
Merge 15.0 into 15.0.project_MI_465
hitesh-erpharbor
pushed a commit
to Nitrokey/odoo-server-auth
that referenced
this pull request
Nov 26, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Tracks Authentication Attempts and Prevents Brute-force Attacks
This module registers each request done by users trying to authenticate into
Odoo. If the authentication fails, a counter is increased for the given remote
IP. After a defined number of attempts, Odoo will ban the remote IP and
ignore new requests.
cc @Tecnativa