1# -*- coding: utf-8 -*- 2import ipaddress 3 4from odoo import _, SUPERUSER_ID 5from odoo.http import request 6from odoo.addons.web.controllers import main as web 7 8def _admin_password_warn(uid): 9 """ Admin still has `admin` password, flash a message via chatter. 10 11 Uses a private mail.channel from the system (/ odoobot) to the user, as 12 using a more generic mail.thread could send an email which is undesirable 13 14 Uses mail.channel directly because using mail.thread might send an email instead. 15 """ 16 if request.params['password'] != 'admin': 17 return 18 if ipaddress.ip_address(request.httprequest.remote_addr).is_private: 19 return 20 env = request.env(user=SUPERUSER_ID, su=True) 21 admin = env.ref('base.partner_admin') 22 if uid not in admin.user_ids.ids: 23 return 24 has_demo = bool(env['ir.module.module'].search_count([('demo', '=', True)])) 25 if has_demo: 26 return 27 28 user = request.env(user=uid)['res.users'] 29 MailChannel = env(context=user.context_get())['mail.channel'] 30 MailChannel.browse(MailChannel.channel_get([admin.id])['id'])\ 31 .message_post( 32 body=_("Your password is the default (admin)! If this system is exposed to untrusted users it is important to change it immediately for security reasons. I will keep nagging you about it!"), 33 message_type='comment', 34 subtype_xmlid='mail.mt_comment' 35 ) 36 37class Home(web.Home): 38 def _login_redirect(self, uid, redirect=None): 39 if request.params.get('login_success'): 40 _admin_password_warn(uid) 41 42 return super()._login_redirect(uid, redirect) 43