Community mailing list archives

Re: Double Password for Each User?

Mohammad Alhashash
- 08/03/2015 06:56:52
Here are some ideas:

Via the menu action:
You can make the menu point to a server action that checks the current user login_date field. If it is older than certain period (for example, 5 minutes), it logs the user out (redirect to url "/web/session/logout"), if not, it should return the target action.

This is not actual secure measure as the user can access the view/report via other means like URL manipulation or direct JSON call.

Via a record rule:
The evaluation context of record rules domain includes 'user' (current user browse record) and 'time' (the python module). You may create  a rule to validate the login_date is within the required period of time. The user will get access error message if he logged-in before that period.
You may combine both methods so user get logged out automatically if they try to open the menu instead of getting an access error later.

Using login_date field is not accurate as the user may have logged-in from another machine. You should actually check the current session age. You can extend the res.users model to provide field that returns when the current session was authenticated or the number of seconds since authentication.

Via an action wizard:
Create a wizard with a password field and use res.users.check_credentials() to validate the password. Extend res.users model as mentioned above to create record rules to control model access based on when the user was authenticaed in the current session.

- Mohammad Alhashash

On 03/08/15 10:47, Togar Hutabarat wrote:
<blockquote cite="" type="cite">
Dear Community,

We have a requirement from our customer, we think about it like crazy for few days. Hopefully I could get a clue from our community. So one of our customer ask a feature that will require them to input/type their password when they access particular menu, such as Payslip, Financial Report, etc. Similar with Linux/MacOS asking your password when modifying file that is belong to root. This will prevent unwelcome usage on critical information. Do we have any module for such feature?

Best regards,
Togar Hutabarat

Post to: