[15.0][FIX] password_security: Fix error when the password hash will …

…be updated after the round change from 25000 to 600000 in core odoo

password_security/models/res_users.py

@@ -215,7 +215,7 @@ def _set_encrypted_password(self, uid, pw):
         res = super(ResUsers, self)._set_encrypted_password(uid, pw)
         if not self.env.user.company_id.password_policy_enabled:
             return res
-        self.write({"password_history_ids": [(0, 0, {"password_crypt": pw})]})
+        self.sudo().write({"password_history_ids": [(0, 0, {"password_crypt": pw})]})
         return res
 
     def action_reset_password(self):

password_security/tests/test_res_users.py

@@ -1,6 +1,8 @@
 # Copyright 2015 LasLabs Inc.
 # License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).
 
+import passlib.context
+
 from odoo.exceptions import UserError
 from odoo.tests.common import TransactionCase
 
@@ -146,3 +148,20 @@ def test_user_with_admin_rights_can_create_users(self):
             }
         )
         test1.unlink()
+
+    def test_update_password_on_login(self):
+        user = self.rec_id.with_user(self.rec_id)
+        self.rec_id.groups_id = [(6, 0, self.env.ref("base.group_portal").ids)]
+
+        # Prepare the case where the same password is already stored with a weaker
+        # crypt context
+        ctx = user._crypt_context()
+        cfg = ctx.to_dict()
+        cfg["pbkdf2_sha512__rounds"] -= 1
+        ctx = passlib.context.CryptContext(**cfg)
+        hash_password = ctx.hash if hasattr(ctx, "hash") else ctx.encrypt
+
+        self.rec_id._set_encrypted_password(user.id, hash_password(self.password))
+
+        # Login with the password now will update it
+        user._check_credentials(self.password, {"interactive": True})