[tryton-commits] [tryton] [default] Apply SQLite types in check_session query

Thu, 27 Nov 2025 14:58:17 -0800 


details:   https://code.tryton.org/tryton/commit/c2839b6f4a73
branch:    default
user:      Nicolas Évrard <[email protected]>
date:      Fri Oct 24 18:13:01 2025 +0200
description:
        Apply SQLite types in check_session query

        Closes #14315
diffstat:

 trytond/trytond/security.py            |  15 +++++--
 trytond/trytond/tests/test_security.py |  58 ++++++++++++++++++++++++++++++++++
 2 files changed, 68 insertions(+), 5 deletions(-)

diffs (94 lines):

diff -r c85151a16cfe -r c2839b6f4a73 trytond/trytond/security.py
--- a/trytond/trytond/security.py       Wed Aug 06 18:26:09 2025 +0200
+++ b/trytond/trytond/security.py       Fri Oct 24 18:13:01 2025 +0200
@@ -19,6 +19,7 @@
 from trytond import backend, config
 from trytond.exceptions import LoginException, RateLimitException
 from trytond.pool import Pool
+from trytond.tools import sqlite_apply_types
 from trytond.transaction import Transaction
 
 logger = logging.getLogger(__name__)
@@ -184,11 +185,15 @@
     try:
         ir_session = Table('ir_session')
         cursor = conn.cursor()
-        cursor.execute(*ir_session.select(
-                Coalesce(ir_session.write_date, ir_session.create_date),
-                ir_session.key,
-                where=((ir_session.create_uid == user)
-                    & (ir_session.ip_address == ip_addr))))
+        session_query = ir_session.select(
+            Coalesce(
+                ir_session.write_date, ir_session.create_date).as_('date'),
+            ir_session.key,
+            where=((ir_session.create_uid == user)
+                & (ir_session.ip_address == ip_addr)))
+        if backend.name == 'sqlite':
+            sqlite_apply_types(session_query, ['DATETIME', None])
+        cursor.execute(*session_query)
         for session_date, session_key in cursor:
             if abs(session_date - now) < timeout:
                 if compare_digest(session_key, session):
diff -r c85151a16cfe -r c2839b6f4a73 trytond/trytond/tests/test_security.py
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/trytond/trytond/tests/test_security.py    Fri Oct 24 18:13:01 2025 +0200
@@ -0,0 +1,58 @@
+# This file is part of Tryton.  The COPYRIGHT file at the top level of this
+# repository contains the full copyright notices and license terms.
+
+from trytond import security
+from trytond.pool import Pool
+from trytond.tests.test_tryton import RouteTestCase, with_transaction
+from trytond.transaction import Transaction
+
+
+class SecurityTestCase(RouteTestCase):
+    "Test security"
+    module = 'res'
+
+    @classmethod
+    def setUpDatabase(cls):
+        pool = Pool()
+        User = pool.get('res.user')
+        User.create([{
+                    'name': 'user',
+                    'login': 'user',
+                    'password': '12345678',
+                    }])
+
+    @with_transaction()
+    def tearDown(self):
+        pool = Pool()
+        Session = pool.get('ir.session')
+        Session.delete(Session.search([]))
+        Transaction().commit()
+
+    @with_transaction()
+    def test_check_session(self):
+        "Testing check_session"
+        pool = Pool()
+        User = pool.get('res.user')
+        Session = pool.get('ir.session')
+
+        db_name = Transaction().database.name
+        user, = User.search([('login', '=', 'user')])
+        with Transaction().set_user(user.id):
+            key = Session.new()
+
+        Transaction().commit()
+
+        user_id = security.check_session(db_name, user.id, key)
+        self.assertEqual(user_id, user.id)
+
+    @with_transaction()
+    def test_check_session_invalid(self):
+        "Testing check_session with an invalid session"
+        pool = Pool()
+        User = pool.get('res.user')
+
+        db_name = Transaction().database.name
+        user, = User.search([('login', '=', 'user')])
+
+        user_id = security.check_session(db_name, user.id, "invalid key")
+        self.assertIsNone(user_id)

Reply via email to