[FIX] auth_signup, website: make reset password multi website friendly

The "reset password" feature does not take into account multi-website. steps to reproduce: - create a website A - uncheck 'Shared Customer Accounts' on website A - create a portal user [email protected] on website A - create a website B - uncheck 'Shared Customer Accounts' on website B - create a portal user [email protected] on website B - reset password for [email protected] on any website before this commit: An error is raised "No account found for this login" (which is false, actually 2 accounts are found) after this commit: Only the user linked to the current website is properly selected opw-3551540 closes odoo#141925 X-original-commit: 4fd3b7a Signed-off-by: Romain Derie (rde) <[email protected]>
metricwise · Nov 13, 2023 · 4e53ef2 · 4e53ef2
1 parent 8908de0
commit 4e53ef2
Show file tree

Hide file tree

Showing 5 changed files with 44 additions and 3 deletions.
diff --git a/addons/auth_signup/i18n/auth_signup.pot b/addons/auth_signup/i18n/auth_signup.pot
@@ -483,6 +483,12 @@ msgstr ""
 msgid "Let your customers log in to see their documents"
 msgstr ""
 
+#. module: auth_signup
+#: code:addons/auth_signup/models/res_users.py:0
+#, python-format
+msgid "Multiple accounts found for this email"
+msgstr ""
+
 #. module: auth_signup
 #: model:ir.model.fields.selection,name:auth_signup.selection__res_users__state__new
 msgid "Never Connected"

diff --git a/addons/auth_signup/models/res_users.py b/addons/auth_signup/models/res_users.py
@@ -152,11 +152,14 @@ def reset_password(self, login):
         """ retrieve the user corresponding to login (login or email),
             and reset their password
         """
-        users = self.search([('login', '=', login)])
+        users = self.search(self._get_login_domain(login))
+        if not users:
+            users = self.search(self._get_email_domain(login))
+
         if not users:
-            users = self.search([('email', '=', login)])
-        if len(users) != 1:
             raise Exception(_('Reset password: invalid username or email'))
+        if len(users) > 1:
+            raise Exception(_('Multiple accounts found for this email'))
         return users.action_reset_password()
 
     def action_reset_password(self):

diff --git a/addons/website/models/res_users.py b/addons/website/models/res_users.py
@@ -41,6 +41,11 @@ def _get_login_domain(self, login):
         website = self.env['website'].get_current_website()
         return super(ResUsers, self)._get_login_domain(login) + website.website_domain()
 
+    @api.model
+    def _get_email_domain(self, email):
+        website = self.env['website'].get_current_website()
+        return super()._get_email_domain(email) + website.website_domain()
+
     @api.model
     def _get_login_order(self):
         return 'website_id, ' + super(ResUsers, self)._get_login_order()

diff --git a/addons/website/tests/test_website_reset_password.py b/addons/website/tests/test_website_reset_password.py
@@ -75,3 +75,26 @@ def test_02_multi_user_login(self):
         # The most specific user should be selected
         self.authenticate("[email protected]", "[email protected]")
         self.assertEqual(self.session["uid"], user2.id)
+
+    def test_multi_website_reset_password_user_specific_user_account(self):
+        # Create same user on different websites with 'Specific User Account'
+        # option enabled and then reset password. Only the user from the
+        # current website should be reset.
+        website_1, website_2 = self.env['website'].create([
+            {'name': 'Website 1', 'specific_user_account': True},
+            {'name': 'Website 2', 'specific_user_account': True},
+        ])
+
+        login = '[email protected]'  # same login for both users
+        user_website_1, user_website_2 = self.env['res.users'].with_context(no_reset_password=True).create([
+            {'website_id': website_1.id, 'login': login, 'email': login, 'name': login},
+            {'website_id': website_2.id, 'login': login, 'email': login, 'name': login},
+        ])
+
+        self.assertFalse(user_website_1.signup_valid)
+        self.assertFalse(user_website_2.signup_valid)
+
+        self.env['res.users'].with_context(website_id=website_1.id).reset_password(login)
+
+        self.assertTrue(user_website_1.signup_valid)
+        self.assertFalse(user_website_2.signup_valid)
diff --git a/odoo/addons/base/models/res_users.py b/odoo/addons/base/models/res_users.py
@@ -697,6 +697,10 @@ def _update_last_login(self):
     def _get_login_domain(self, login):
         return [('login', '=', login)]
 
+    @api.model
+    def _get_email_domain(self, email):
+        return [('email', '=', email)]
+
     @api.model
     def _get_login_order(self):
         return self._order