FIX auth_saml: password reset when deactivating the config settings

OCA · Jan 3, 2024 · c1dc1da · c1dc1da
1 parent 2da03ab
commit c1dc1da
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 0 deletions.
diff --git a/auth_saml/models/ir_config_parameter.py b/auth_saml/models/ir_config_parameter.py
@@ -27,3 +27,14 @@ def write(self, vals):
         if self.filtered(lambda param: param.key == ALLOW_SAML_UID_AND_PASSWORD):
             self.env["res.users"].allow_saml_and_password_changed()
         return result
+
+    def unlink(self):
+        """Redefined to update users when our parameter is deleted."""
+        reset = False
+        for param in self:
+            if param.key == ALLOW_SAML_UID_AND_PASSWORD:
+                reset = True
+        result = super().unlink()
+        if result and reset:
+            self.env["res.users"].allow_saml_and_password_changed()
+        return result
diff --git a/auth_saml/tests/test_pysaml.py b/auth_saml/tests/test_pysaml.py
@@ -273,3 +273,20 @@ def test_disallow_user_admin_can_have_password(self):
         ).value = "False"
         # Test base.user_admin exception
         self.env.ref("base.user_admin").password = "nNRST4j*->sEatNGg._!"
+
+    def test_config_setting_deactivate_password(self):
+        """Test that disabling the setting will remove passwords from related users"""
+        # We activate the settings to allow password login
+        self.env['res.config.settings'].create({
+            'allow_saml_uid_and_internal_password': True,
+        }).execute()
+
+        # Test the user can login with the password
+        self.authenticate(user="[email protected]", password="Lu,ums-7vRU>0i]=YDLa")
+
+        self.env['res.config.settings'].create({
+            'allow_saml_uid_and_internal_password': False,
+        }).execute()
+
+        with self.assertRaises(AccessDenied):
+            self.authenticate(user="[email protected]", password="Lu,ums-7vRU>0i]=YDLa")