[FIX] always check the uid in the session and the one in the request to avoid session mismatch...

auth_from_http_remote_user/__init__.py

@@ -22,3 +22,4 @@
 from . import controllers
 from . import res_config
 from . import res_users
+from . import model

auth_from_http_remote_user/controllers/main.py

@@ -25,6 +25,8 @@ import openerp
 from openerp import http
 from openerp.http import request
 from openerp.addons.web.controllers import main
+from openerp.addons.auth_from_http_remote_user.model import \
+    AuthFromHttpRemoteUserInstalled
 from .. import utils
 
 import random
@@ -41,11 +43,10 @@ class Home(main.Home):
     @http.route('/web', type='http', auth="none")
     def web_client(self, s_action=None, **kw):
         main.ensure_db()
-        if not request.session.uid:
+        try:
-            try:
+            self._bind_http_remote_user(http.request.session.db)
-                self._bind_http_remote_user(http.request.session.db)
+        except http.AuthenticationError:
-            except http.AuthenticationError:
+            return werkzeug.exceptions.Unauthorized().get_response()
-                return werkzeug.exceptions.Unauthorized().get_response()
         return super(Home, self).web_client(s_action, **kw)
 
     def _get_user_id_from_attributes(self, res_users, cr):
@@ -65,13 +66,15 @@ class Home(main.Home):
         try:
             registry = openerp.registry(db_name)
             with registry.cursor() as cr:
-                modules = registry.get('ir.module.module')
+                if AuthFromHttpRemoteUserInstalled._name not in registry:
-                domain = ['&',
-                          ('name', '=', 'auth_from_http_remote_user'),
-                          ('state', '=', 'installed')]
-                installed = modules.search_count(cr, SUPERUSER_ID, domain) == 1
-                if not installed:
                     return
+                res_users = registry.get('res.users')
+                # get the user
+                user_id = self._get_user_id_from_attributes(res_users,
+                                                            cr)
+                if request.session.uid and request.session.uid == user_id:
+                    return
+
                 config = registry.get('base.config.settings')
                 # get parameters for SSO
                 default_login_page_disabled = \
@@ -79,10 +82,6 @@ class Home(main.Home):
                                                           SUPERUSER_ID,
                                                           None)
 
-                # get the user
-                res_users = registry.get('res.users')
-                user_id = self._get_user_id_from_attributes(res_users,
-                                                            cr)
 
                 if user_id is None:
                     if default_login_page_disabled:

auth_from_http_remote_user/model.py

@@ -0,0 +1,27 @@
+# -*- coding: utf-8 -*-
+##############################################################################
+#
+#    Author: Laurent Mignon
+#    Copyright 2014 'ACSONE SA/NV'
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU Affero General Public License as
+#    published by the Free Software Foundation, either version 3 of the
+#    License, or (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU Affero General Public License for more details.
+#
+#    You should have received a copy of the GNU Affero General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+##############################################################################
+from openerp.osv import orm
+
+
+class AuthFromHttpRemoteUserInstalled(orm.AbstractModel):
+    """An abstract model used to safely now if the module is installed
+    """
+    _name = 'auth_from_http_remote_user.installed'