grindtildeath
commented
3 months ago ping @astirpe since you seem to have worked on similar issue in 16.0
Closed grindtildeath closed 2 months ago
grindtildeath
commented
3 months ago ping @astirpe since you seem to have worked on similar issue in 16.0
OCA-git-bot
commented
3 months ago This PR has the approved label and has been created more than 5 days ago. It should therefore be ready to merge by a maintainer (or a PSC member if the concerned addon has no declared maintainer). 🤖
dreispt
commented
2 months ago @grindtildeath Please squash your commits
grindtildeath
commented
2 months ago @dreispt done.
dreispt
commented
2 months ago /ocabot merge patch
OCA-git-bot
commented
2 months ago On my way to merge this fine PR! Prepared branch 15.0-ocabot-merge-pr-639-by-dreispt-bump-patch, awaiting test results.
OCA-git-bot
commented
2 months ago Congratulations, your PR was merged at a0067493e4067b2818a7c829b84c17c5781c12fc. Thanks a lot for contributing to OCA. ❤️
When MFA is enabled, the web_login function returns a redirect to /web/login/totp, but the session is not fully authenticated.
Therefore, the check done for expired password on request.env.user was executed on the public user instead of the user trying to log in.
Once the public user password is expired, it was then redirecting to the password reset form of the public user blocking the user from logging in.
Instead of overriding web_login, it's safer to override _login_redirect as this function is meant to customize the user redirection on login.
By checking if the user is fully logged before checking if its password is expired, we ensure it will not mess with any other authentication process.