openerp-community-reviewer team mailing list archive

Thread
Date

Re: [Merge] lp:~sylvain-legal/server-env-tools/7.0-auth_admin_passkey into lp:server-env-tools

To: mp+211338@xxxxxxxxxxxxxxxxxx
From: "Stefan Rijnhart \(Therp\)" <stefan@xxxxxxxx>
Date: Fri, 21 Mar 2014 12:15:11 -0000
In-reply-to: <20140320231221.30870.65435.launchpad@ackee.canonical.com>
Reply-to: mp+211338@xxxxxxxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

Review: Needs Information

Some more comments from my side:

Wild idea: in your override of check_credentials, why don't you first check if uid != SUPERUSER_ID and in that case don't call *super* but call self.check_credentials itself with the SUPERUSER_ID argument? This should fix compatibility with any authentication module.

Note that there is a small security risk in sending the emails to the unprivileged user: if such a user happens to have the same password as the administrator (it might just happen), they will receive an email that the adminitrator has logged on as themselves. They may then figure out that their password is the same as the administrator's, and they might then take advantage of that.

l.275: would it maybe make more sense if you check this condition *before* the try block in l.271?

-- 
https://code.launchpad.net/~sylvain-legal/server-env-tools/7.0-auth_admin_passkey/+merge/211338
Your team Server Environment And Tools Core Editors is subscribed to branch lp:server-env-tools.

References

[Merge] lp:~sylvain-legal/server-env-tools/7.0-auth_admin_passkey into lp:server-env-tools
From: Sylvain LE GAL (GRAP), 2014-03-20