From 454e9deac7b6295fe564025d6bf98ec4cbb23a80 Mon Sep 17 00:00:00 2001
From: fkantelberg <florian.kantelberg@initos.com>
Date: Tue, 30 Jan 2024 16:26:09 +0100
Subject: [PATCH] [15.0][FIX] password_security: Fix error when the password
 hash will be updated after the round change from 25000 to 600000 in core odoo

---
 password_security/models/res_users.py     |  2 +-
 password_security/tests/test_res_users.py | 19 +++++++++++++++++++
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/password_security/models/res_users.py b/password_security/models/res_users.py
index 7eed74270c..1a755c99db 100644
--- a/password_security/models/res_users.py
+++ b/password_security/models/res_users.py
@@ -215,7 +215,7 @@ def _set_encrypted_password(self, uid, pw):
         res = super(ResUsers, self)._set_encrypted_password(uid, pw)
         if not self.env.user.company_id.password_policy_enabled:
             return res
-        self.write({"password_history_ids": [(0, 0, {"password_crypt": pw})]})
+        self.sudo().write({"password_history_ids": [(0, 0, {"password_crypt": pw})]})
         return res
 
     def action_reset_password(self):
diff --git a/password_security/tests/test_res_users.py b/password_security/tests/test_res_users.py
index 0de0ef3048..789814c242 100644
--- a/password_security/tests/test_res_users.py
+++ b/password_security/tests/test_res_users.py
@@ -1,6 +1,8 @@
 # Copyright 2015 LasLabs Inc.
 # License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).
 
+import passlib.context
+
 from odoo.exceptions import UserError
 from odoo.tests.common import TransactionCase
 
@@ -146,3 +148,20 @@ def test_user_with_admin_rights_can_create_users(self):
             }
         )
         test1.unlink()
+
+    def test_update_password_on_login(self):
+        user = self.rec_id.with_user(self.rec_id)
+        self.rec_id.groups_id = [(6, 0, self.env.ref("base.group_portal").ids)]
+
+        # Prepare the case where the same password is already stored with a weaker
+        # crypt context
+        ctx = user._crypt_context()
+        cfg = ctx.to_dict()
+        cfg["pbkdf2_sha512__rounds"] -= 1
+        ctx = passlib.context.CryptContext(**cfg)
+        hash_password = ctx.hash if hasattr(ctx, "hash") else ctx.encrypt
+
+        self.rec_id._set_encrypted_password(user.id, hash_password(self.password))
+
+        # Login with the password now will update it
+        user._check_credentials(self.password, {"interactive": True})