Closed grindtildeath closed 2 months ago
ping @astirpe since you seem to have worked on similar issue in 16.0
This PR has the approved
label and has been created more than 5 days ago. It should therefore be ready to merge by a maintainer (or a PSC member if the concerned addon has no declared maintainer). 🤖
@grindtildeath Please squash your commits
@dreispt done.
/ocabot merge patch
On my way to merge this fine PR! Prepared branch 15.0-ocabot-merge-pr-639-by-dreispt-bump-patch, awaiting test results.
Congratulations, your PR was merged at a0067493e4067b2818a7c829b84c17c5781c12fc. Thanks a lot for contributing to OCA. ❤️
When MFA is enabled, the web_login function returns a redirect to /web/login/totp, but the session is not fully authenticated.
Therefore, the check done for expired password on request.env.user was executed on the public user instead of the user trying to log in.
Once the public user password is expired, it was then redirecting to the password reset form of the public user blocking the user from logging in.
Instead of overriding web_login, it's safer to override _login_redirect as this function is meant to customize the user redirection on login.
By checking if the user is fully logged before checking if its password is expired, we ensure it will not mess with any other authentication process.