I use odoo as a system in our company and want to use the website for internal news and informations. However the public should not see the website - only logged in users should! Viewers who aren't logged in should be redirected to the login screen.
Is that possible and how could I do it?
When you define the route with #http.route you have a parameter "auth", where you define that. From the odoo documentation:
auth –
The type of authentication method, can on of the following:
user: The user must be authenticated and the current request will perform using the rights of the user.
public: The user may or may not be authenticated. If she isn’t, the current request will perform using the shared Public user.
none: The method is always active, even if there is no database. Mainly used by the framework and authentication modules. There request code will not have any facilities to access the database nor have any configuration indicating the current database nor the current user.
Have a look to https://www.odoo.com/documentation/12.0/reference/http.html
It is simple , just give auth="user" in your method at main.py file in controller.
#http.route('/name', type='http', csrf=False, auth='user', website=True)
Related
I work under Odoo11 with the Python3 language.
When the person goes to a web page, I want them to automatically connect without going through an authentication page. Is that possible? And if so, by what means? Controllers, url to change?
I don't have any code to suggest, because I don't know where to start.
Thanks for your understanding and thanks for your help!
EDIT :
I have a list on the Odoo website visible to only one user.
If I sign in with another internal user, I don't see this list.
There are several people who need to access this list. The url in question will be given only to these people.
I just want to avoid them an authentication page. It is a request made by our hierarchy.
My idea was to call a function "to disconnect" from Odoo (in case they have an open session) then pass the connection parameters (hard for example) with the username and password but only for a url.
My use_case I will say,
Url access -> Disconnect Session -> Connect Odoo session with username and password with parameters in my controller -> redirection to this url
Thank you
I am building 2 MVC applications and will be using IdentityServer as a single sign-on authentication provider. By following the sample code from IdentityServer web site, I can get the authentication working. But now I am confused about how to register new users in the MVC applications.
For example in MVC 1, I have a secured controller action. Now accessing this action will be redirected to IdentityServer login page. If user selected an external login provider and login successfully, then the user will be redirected to the "Register" page of IdentityServer to ask whether the user wants to register. If user clicks "Register", then redirected to the secured action successfully. So far the sample code has done all these. But my question is that MVC1 & MVC2 need some more information about the user for registration. How can I prompt user to input these additional information? It is not feasible to have these information inputted in the IdentityServer register page because MVC 1 & 2 need different information. But if I have a register page in MVC1 & MVC2, then how can I force user to complete the registration? After user is authenticated from IdentityServer, he is returned directly to the originally requested Url. I just can't have code in every controller action to verify whether an authenticated user have completed the detailed registration.
An ideal way is that once a user is authenticated from IdentityServer, I can check whether this user has been registered in the local MVC user database. If not, then redirect the user to the local MVC register page and then back to the originally requested Url. How this can be done or is there a more appropriate way for doing this?
But my question is that MVC1 & MVC2 need some more information about
the user for registration.
To retrieve additional user info, you could depend on user claims for the additional user information. Otherwise, there is an endpoint called UserInfo Endpoint
But if I have a register page in MVC1 & MVC2, then how can I force
user to complete the registration?
Based on client_id you could change the registration view
I just can't have code in every controller action to verify whether an
authenticated user have completed the detailed registration.
You could create a customize filter to validate that. But, I would say try to keep the user related details on IdS4 project
I can check whether this user has been registered in the local MVC
user database. If not, then redirect the user to the local MVC
register page and then back to the originally requested Url. How this
can be done or is there a more appropriate way for doing this?
If you think, these user information will only be used for this client then you could take this approach.
However, if possible you asked for all the required details on the user registration page, no harms keeping the information for mvc1 users. But sometimes it is not possible (e.g. internal vs external users). If it is for internal users, then I guess it would be better to have a seperate Admin UI where user can add extra information.
Anyway, if you want to keep everything in one user registration page on Id server, i would add an extra flag on Client table which will indicate to show extra fileds. Hope this may help you.
How does share know that user is not connected (and redirect him to login page)?
Even if a user is connected i'd like to check if he has some permission and redirect him to login page if not. So i'd like to know how Share manage authenticated user from session.
Can i use a filter, or listener or servlet or any other mecanism to intercept ALL url on share and check if connected user has require permission.
I'm using alfresco 5.0.d.
Thank you in advance for your help.
Depending on the authentication method being used and which services of Share are accessed (pages, proxy servlet or web scripts), there are multiple places where checks against the current user are made:
class SSOAuthenticationFilter - a servlet filter handling what it says in its name, Single Sign-On (SSO), e.g. Kerberos, NTLM or CAS / external authentication
class PageView - part of the Surf framework that checks if the current user has the required privileges for the current page (limited differentiation of guest, user, admin as defined by the page XML definition)
class SlingshotPageView - an enhancement / specialisation of the PageView class
class EndpointProxyServlet - handling authentication for any backend ReST API calls proxied via Share
classes PresentationContainer and instances of Authenticator interface - handling direct calls to any web scripts outside of normal page rendition cycles
Technically you can use a filter to intercept all servlet invocations on Share, but I it is not ideal from a maintenance point of view (web.xml is not easily extensible and overriden on upgrades). If all you are interested in are page rendition requests, you can use Surf extension modules to inject post-processing code that is able to generate redirection responses if user permissions are lacking. Via the root-scoped "status" object you can send the HTTP redirect responses and define a target location.
I've been creating API and consumer by following Simple API Development with Laravel from Aaron Kuzemchak. I got the problem after I success to auth via API from my consumer; I do not know how to check it, if the consummer already success logged in or not at the other pages...
For example, at the first; I show the login page, click the submit button to check the credentials via API. The login attempt is working, success to logged in and redirect to dashboard. But, if I haven't logged in and accessed the dashboard from URL, i got the dashboard :O
The API server and the consumer have separated machine and the database only exists at the API server.
Am I doing this right (with the flow for the API and Consumer) ?
At the consumer, how can I get to know if the user already logged in or not (after success attempt the credential)? (somehow? someidea?)
Thank you before... :)
This question is very confusing, probably because I haven't watched that screencast yet, but shouldn't Auth::check() be what you are looking for? It will return true or false depending on if the user is logged in.
Just to make sure:
You have a back end API built from the tutorial posted here: http://kuzemchak.net/blog/entry/laracon-slides-and-video
You're using HTTP Basic authentication as described in the above tutorial
You're building a (consumer) front end web interface for users on a separate server
Your consumer interface uses forms based authentication (a login form)
The backend API uses HTTP basic authentication (and the consumer sends an API key for the user with each request). As such, the backend won't keep track of a user being logged in. That means your consumer interface will need to do this.
You could use the Laravel Auth class for this normally, but your front end would normally have access to the database and the bundled authentication drivers could just check a username/password.
I'd say your options are:
Store details of the user in a session using the Session class (feels a bit nasty but simple)
Write an authentication driver and then use the Auth class (advanced but cleaner: http://www.karlvalentin.de/1903/write-your-own-auth-driver-for-laravel-4.html)
Just talk straight to the database using the existing Auth class and Eloquent
Apache tomcat version: 6.0.20
If user is already logged, and he tries to login again from login page, the j_security_check is not available error is encountered. Is it normal behaviour or I have to do something?
Actually I have different user roles for accessing different pages, and when access to a page is denied to a particular user, I want to redirect him to login page, where he can login with corresponding credentials.
This behavior is normal: the servlet spec only lays-out the procedure for container-managed authentication (i.e. login) when the user requests a protected resource and the user has not already provided credentials. All other scenarios are left undefined, including yours.
If you want to capture "forbidden" conditions, you can use <error-page> mappings in your WEB-INF/web.xml to send the user anywhere you want, including a login page. Just remember that the container will only accept a login after the above conditions are true, so you may have to log the user out first (by terminating the user's session).
What I might recommend is a "forbidden" page that says "You don't have access to this resource. If you'd like to log-in as a different user to access it, please click [HERE]" where [HERE] is a link to a servlet that terminates the user's session and then redirects to the resource the user was trying to access. This will cause the container to request authentication (i.e. present the login form), verify the credentials, and send the user to the desired resource.
If you are using a container (and webapp) along with version 3.0 of the servlet specification, there is a new HttpServletRequest.login() method that can be used to programmatically log a user into your webapp. You might be able to use that instead of terminating the session and doing all those redirects... instead, you could collect the username and password yourself and then ask the container to do the login for you.