[16.0][FIX] password_security: update password_write_date on copy by maneandrea · Pull Request #713 · OCA/server-auth

maneandrea · 2024-10-16T17:38:21Z

Sometimes users are created from a template user via a copy().
This has the issue that a password is passed via the vals of the copy
and therefore never seen by the write() function.

As a result, the password_write_date field is left to the value of the
template, which is either outdated or null.

A concrete bug that resulted from this is that newly created users were
asked to renew their password on their very first login.

This commit reapplies the same logic of the write() method to the
copy() method as well.

It also changes the unit test test_03_create_user_signup to create the
user at some time in the past so that

assertNotEqual(password_write_date, created_user.password_write_date)

makes sense.

Finally it fixes the do_signup method to user the current user's
password otherwise the password_write_date will be overwritten even when
inputting invalid passwords

maneandrea · 2024-10-16T17:39:42Z

@moylop260 or @luisg123v Can you review?

moylop260 · 2024-10-23T14:01:52Z

    def do_signup(self, qcontext):
        password = qcontext.get("password")
-        user = request.env.user
+        user = (


the commit and the description mention the change in the copy

But this change is not mentioned

Also the title mention "...password_write_date on copy"

Could you elaborate how this search affects the purpose of this PR, please?

I am open to separate this in two PRs. Conceptually they are different fixes but in practice they are both needed.

The case is when a user has 2FA activated. If that is the case, they get to this method as the public user, so the check in user._check_password(password) does not detect the use of an old password. This makes the write method run which in turn updates password_write_date. Only after then, a second call to _check_password rejects the change.

However, since password_write_date is ~~not~~ now updated to today, the user is able to log in with the old (expired) password and use it for a long time after that.

BTW: I updated the PR description to match the commit message.

Hello, could you add a comment above the search to explain what we are trying to fix? That will help the maintenance in the future as it's not obvious just by reading the code.

@sebalix Sorry for the delay. I added some explanatory comment

moylop260

👍

remi-filament · 2025-03-10T12:39:14Z

+    def copy(self, vals):
+        if vals.get("password"):
+            vals["password_write_date"] = fields.Datetime.now()
+        return super(ResUsers, self).copy(vals)


Hi @maneandrea thank you for proposing a fix for this bug.
I found the same issue when signing up, the template user is copied with its initialization value of password_write_date.

I am however wondering about the way you propose to fix it, from my point of view, it would be better that this field "password_write_date" is not copied at all (adding a copy=False on field definition). If no value is provided then it will use default (= fields.Datetime.now()).

I'm taking over for Andrea so all issues in the PR get corrected. I just changed the field definition so that it is not copied over. Also added a unit test that verifies the fix is working. Can you review again please?

Sometimes users are created from a template user via a `copy()`. This has the issue that a password is passed via the `vals` of the copy and therefore never seen by the `write()` function. As a result, the `password_write_date` field is left to the value of the template, which is either outdated or null. A concrete bug that resulted from this is that newly created users were asked to renew their password on their very first login. --- To ammend this, the field is no longer copied when cloning users. A new unnitest was added to verify this. It also changes the unit test test_03_create_user_signup to create the user at some time in the past so that ```python assertNotEqual(password_write_date, created_user.password_write_date) ``` makes sense. Finally it fixes the do_signup method to user the current user's password otherwise the password_write_date will be overwritten even when inputting invalid passwords

OCA-git-bot · 2025-03-11T00:42:51Z

This PR has the approved label and has been created more than 5 days ago. It should therefore be ready to merge by a maintainer (or a PSC member if the concerned addon has no declared maintainer). 🤖

remi-filament · 2025-03-11T08:49:43Z

Thanks @antonag32, tested on Runboat, it works as expected !
Best Regards

antonag32 · 2025-03-11T19:20:28Z

Great, can a maintainer merge the change?

moylop260 · 2025-03-13T21:25:03Z

/ocabot merge patch

OCA-git-bot · 2025-03-13T21:25:12Z

This PR looks fantastic, let's merge it!
Prepared branch 16.0-ocabot-merge-pr-713-by-moylop260-bump-patch, awaiting test results.

OCA-git-bot · 2025-03-13T21:29:30Z

Congratulations, your PR was merged at f75d2e3. Thanks a lot for contributing to OCA. ❤️

moylop260 · 2026-06-24T18:48:38Z

FYI fowardporting:

maneandrea force-pushed the 16.0-password_security-update_on_copy-andrea branch 4 times, most recently from aa457f9 to 15da524 Compare October 22, 2024 20:31

hparfr approved these changes Oct 23, 2024

View reviewed changes

moylop260 reviewed Oct 23, 2024

View reviewed changes

sebalix changed the title ~~[FIX] password_security: update password_write_date on copy~~ [16.0][FIX] password_security: update password_write_date on copy Jan 3, 2025

maneandrea force-pushed the 16.0-password_security-update_on_copy-andrea branch from 15da524 to 82e5c0a Compare January 15, 2025 19:28

moylop260 approved these changes Jan 17, 2025

View reviewed changes

OCA-git-bot added the approved label Jan 17, 2025

remi-filament reviewed Mar 10, 2025

View reviewed changes

antonag32 force-pushed the 16.0-password_security-update_on_copy-andrea branch from 82e5c0a to c33e127 Compare March 11, 2025 00:24

antonag32 force-pushed the 16.0-password_security-update_on_copy-andrea branch from c33e127 to f8c4092 Compare March 11, 2025 00:36

OCA-git-bot added the ready to merge label Mar 11, 2025

remi-filament approved these changes Mar 11, 2025

View reviewed changes

OCA-git-bot added the bot is merging ⏳ label Mar 13, 2025

OCA-git-bot merged commit 8ccbc97 into OCA:16.0 Mar 13, 2025

OCA-git-bot added merged 🎉 and removed bot is merging ⏳ labels Mar 13, 2025

antonag32 mentioned this pull request Mar 13, 2025

[17.0][MIG] password_security + use ir.config_parameters #731

Merged

This was referenced Jun 24, 2026

[17.0][FIX] password_security: update password_write_date on copy #963

Open

[18.0][FIX] password_security: update password_write_date on copy #964

Open

Uh oh!

Uh oh!

Conversation

maneandrea commented Oct 16, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

maneandrea commented Oct 16, 2024

Uh oh!

moylop260 Oct 23, 2024

Choose a reason for hiding this comment

Uh oh!

maneandrea Oct 23, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

sebalix Jan 3, 2025

Choose a reason for hiding this comment

Uh oh!

maneandrea Jan 15, 2025

Choose a reason for hiding this comment

Uh oh!

moylop260 left a comment

Choose a reason for hiding this comment

Uh oh!

remi-filament Mar 10, 2025

Choose a reason for hiding this comment

Uh oh!

antonag32 Mar 11, 2025

Choose a reason for hiding this comment

Uh oh!

OCA-git-bot commented Mar 11, 2025

Uh oh!

remi-filament commented Mar 11, 2025

Uh oh!

antonag32 commented Mar 11, 2025

Uh oh!

moylop260 commented Mar 13, 2025

Uh oh!

OCA-git-bot commented Mar 13, 2025

Uh oh!

OCA-git-bot commented Mar 13, 2025

Uh oh!

moylop260 commented Jun 24, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants

maneandrea commented Oct 16, 2024 •

edited

Loading

maneandrea Oct 23, 2024 •

edited

Loading