Help

0

Access Denied by ACLs/ Failed to update web.base.url configuration parameter

Avatar
GiancaFTx

good afternoon,
I have an error that I cannot solve. It seems to be group permissions, I am initializing the result variable to zero, I don't know what value to pass. I only know that it refers to gu.uid (integer).
id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
access_auth_brute_force_id,auth_brute_force,auth_brute_force.model_res_authentication_attempt,,1,1,1,1
access_auth_brute_force2_id,auth_brute_force,auth_brute_force.model_res_users,,1,1,1,1

odoo:12

addons: auth_brute_force  

******result******* 0
******result******* 0
2020-01-24 20:22:08,110 1 INFO odoo12v2 odoo.addons.base.models.res_users: Login failed for db:odoo12v2 login:user@odoo.com from 192.168.99.1
2020-01-24 20:22:08,162 1 INFO odoo12v2 odoo.addons.base.models.ir_model: Access Denied by ACLs for operation: read, uid: 0, model: ir.config_parameter
2020-01-24 20:22:08,162 1 ERROR odoo12v2 odoo.addons.base.models.res_users: Failed to update web.base.url configuration parameter
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/odoo/tools/cache.py", line 88, in lookup
r = d[key]
File "/usr/lib/python3/dist-packages/odoo/tools/func.py", line 69, in wrapper
return func(self, *args, **kwargs)
File "/usr/lib/python3/dist-packages/odoo/tools/lru.py", line 44, in __getitem__
a = self.d[obj].me
KeyError: ('ir.config_parameter', <function IrConfigParameter._get_param at 0x7f57834df488>, 0, 'web.base.url.freeze')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/odoo/tools/cache.py", line 88, in lookup
r = d[key]
File "/usr/lib/python3/dist-packages/odoo/tools/func.py", line 69, in wrapper
return func(self, *args, **kwargs)
File "/usr/lib/python3/dist-packages/odoo/tools/lru.py", line 44, in __getitem__
a = self.d[obj].me
KeyError: ('ir.model.access', <function IrModelAccess.check at 0x7f57843cf048>, 0, 'ir.config_parameter', 'read', True, (None,))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/odoo/addons/base/models/res_users.py", line 591, in authenticate
if not ICP.get_param('web.base.url.freeze'):
File "/usr/lib/python3/dist-packages/odoo/addons/base/models/ir_config_parameter.py", line 64, in get_param
return self._get_param(key) or default
File "<decorator-gen-52>", line 2, in _get_param
File "/usr/lib/python3/dist-packages/odoo/tools/cache.py", line 93, in lookup
value = d[key] = self.method(*args, **kwargs)
File "/usr/lib/python3/dist-packages/odoo/addons/base/models/ir_config_parameter.py", line 69, in _get_param
params = self.search_read([('key', '=', key)], fields=['value'], limit=1)
File "/usr/lib/python3/dist-packages/odoo/models.py", line 4525, in search_read
records = self.search(domain or [], offset=offset, limit=limit, order=order)
File "/usr/lib/python3/dist-packages/odoo/models.py", line 1561, in search
res = self._search(args, offset=offset, limit=limit, order=order, count=count)
File "/usr/lib/python3/dist-packages/odoo/models.py", line 4055, in _search
self.sudo(access_rights_uid or self._uid).check_access_rights('read')
File "/usr/lib/python3/dist-packages/odoo/models.py", line 3005, in check_access_rights
return self.env['ir.model.access'].check(self._name, operation, raise_exception)
File "<decorator-gen-23>", line 2, in check
File "/usr/lib/python3/dist-packages/odoo/tools/cache.py", line 93, in lookup
value = d[key] = self.method(*args, **kwargs)
File "/usr/lib/python3/dist-packages/odoo/addons/base/models/ir_model.py", line 1251, in check
raise AccessError(msg % msg_params)
odoo.exceptions.AccessError: ('Lo siento, no tiene permiso para acceder a este documento. Sólo usuarios con los siguientes permisos están autorizados a hacer esto:\n- Administration/Settings\n\n(Modelo de documento: ir.config_parameter)', None)
2020-01-24 20:22:08,191 1 INFO odoo12v2 werkzeug: 192.168.99.1 - - [24/Jan/2020 20:22:08] "POST /web/login HTTP/1.1" 200 - 17 0.046 0.422


************** I have the error here.

def _auth_attempt_force_raise(cls, login, method):
"""Force a method to raise an AccessDenied on falsey return."""
    result =0
    try:     
        with cls._auth_attempt(login):
        os.system("echo ******result******* '{}'".format(str(result)))
        if not result:
            result = method()
        # Force exception to record auth failure
            raise AccessDenied()
        except AccessDenied:
            pass  # `_auth_attempt()` did the hard part already

    return result

**************

import logging
from contextlib import contextmanager
from threading import current_thread
from odoo import api, models, SUPERUSER_ID
from odoo.exceptions import AccessDenied
from odoo.service import wsgi_server

_logger = logging.getLogger(__name__)


class ResUsers(models.Model):
    _inherit = "res.users"

# HACK https://github.com/odoo/odoo/issues/24183
# TODO Remove in v12, and use normal odoo.http.request to get details
    @api.model_cr
        def _register_hook(self):
        """🐒-patch XML-RPC controller to know remote address."""
        original_fn = wsgi_server.application_unproxied

            def _patch(environ, start_response):
                current_thread().environ = environ
                return original_fn(environ, start_response)

            wsgi_server.application_unproxied = _patch 

    # Helpers to track authentication attempts
    @classmethod
    @contextmanager
    def _auth_attempt(cls, login):
        """Start an authentication attempt and track its state."""
        try:
            # Check if this call is nested
            attempt_id = current_thread().auth_attempt_id
        except AttributeError:
            # Not nested; create a new attempt
            attempt_id = cls._auth_attempt_new(login)
        if not attempt_id:
            # No attempt was created, so there's nothing to do here
            yield
            return
    try:
        current_thread().auth_attempt_id = attempt_id
        result = "successful"
        try:
            yield
        except AccessDenied as error: 
            result = getattr(error, "reason", "failed")
            raise
        finally:
            cls._auth_attempt_update({"result": result})
    finally:
        try:
            del current_thread().auth_attempt_id
        except AttributeError:
            pass  # It was deleted already

    @classmethod
    def _auth_attempt_force_raise(cls, login, method):
    """Force a method to raise an AccessDenied on falsey return."""

     result=0                                         
        try:
            with cls._auth_attempt(login):
                result = method()
                if not result:
                    # Force exception to record auth failure
                    raise AccessDenied()
        except AccessDenied:
            pass  # `_auth_attempt()` did the hard part already
            return result

    @classmethod
    def _auth_attempt_new(cls, login):
    """Store one authentication attempt, not knowing the result."""
    # Get the right remote address
        try:
            remote_addr = current_thread().environ["REMOTE_ADDR"]
        except (KeyError, AttributeError):
            remote_addr = False 
        # Exit if it doesn't make sense to store this attempt
        if not remote_addr:
            return False 
            # Use a separate cursor to keep changes always
        with cls.pool.cursor() as cr:
            env = api.Environment(cr, SUPERUSER_ID, {})
            attempt = env["res.authentication.attempt"].create({
                "login": login,
                "remote": remote_addr,
            })
            return attempt.id

    @classmethod
    def _auth_attempt_update(cls, values):
    """Update a given auth attempt if we still ignore its result."""
        auth_id = getattr(current_thread(), "auth_attempt_id", False)
        if not auth_id:
            return {}  # No running auth attempt; nothing to do
        # Use a separate cursor to keep changes always
        with cls.pool.cursor() as cr:
            env = api.Environment(cr, SUPERUSER_ID, {})
            attempt = env["res.authentication.attempt"].browse(auth_id)
            # Update only on 1st call
            if not attempt.result:
                attempt.write(values)
            return attempt.copy_data()[0] if attempt else {}

        # Override all auth-related core methods
    @classmethod
    def _login(cls, db, login, password):
        return cls._auth_attempt_force_raise(
        login,
        lambda: super(ResUsers, cls)._login(db, login, password),
         ) 

    @classmethod
    def authenticate(cls, db, login, password, user_agent_env):
        return cls._auth_attempt_force_raise(
        login, 
        lambda: super(ResUsers, cls).authenticate(
            db, login, password, user_agent_env),
        )

    @api.model
    def check_credentials(self, password):
       login = self.env.user.login
        with self._auth_attempt(login):
        # Update login, just in case we stored the UID before
            attempt = self._auth_attempt_update({"login": login})
            remote = attempt.get("remote")
            # Fail if the remote is banned
            trusted = self.env["res.authentication.attempt"]._trusted(
                remote,
                login,
            )
            if not trusted:
                error = AccessDenied()
                error.reason = "banned"
                raise error
            # Continue with other auth systems
            return super(ResUsers, self).check_credentials(password)

Avatar
Discard
1 Answer
2

Only Admin/Settings have the access to ir.config.parameter object. You can add read access for this object without applying any group.

Avatar
Discard