Commit b9cdfb58 authored by Jérome Perrin's avatar Jérome Perrin

core: display login in caption

user_id are technical things that should not be displayed to users.

In the case of tokens, for now we show "something that's not user id / not the
token secret". That's not ideal but as far as I know whe don't really have use
cases of tokens to show a page where user caption would be displayed.
parent d87bda30
...@@ -31,6 +31,8 @@ from ZPublisher.HTTPRequest import HTTPRequest ...@@ -31,6 +31,8 @@ from ZPublisher.HTTPRequest import HTTPRequest
from ZPublisher.HTTPResponse import HTTPResponse from ZPublisher.HTTPResponse import HTTPResponse
from Products.PluggableAuthService.interfaces.plugins import IAuthenticationPlugin from Products.PluggableAuthService.interfaces.plugins import IAuthenticationPlugin
from DateTime import DateTime from DateTime import DateTime
import urllib
import httplib
import base64 import base64
import StringIO import StringIO
import mock import mock
...@@ -124,6 +126,30 @@ class TestERP5AccessTokenSkins(AccessTokenTestCase): ...@@ -124,6 +126,30 @@ class TestERP5AccessTokenSkins(AccessTokenTestCase):
# this is also what will appear in Z2.log # this is also what will appear in Z2.log
_setUserNameForAccessLog.assert_called_once_with(login, self.portal.REQUEST) _setUserNameForAccessLog.assert_called_once_with(login, self.portal.REQUEST)
def test_user_caption(self):
person = self._createPerson(self.new_id)
access_url = "%s/Base_getUserCaption" % self.portal.absolute_url()
access_method = "GET"
access_token = self._createRestrictedAccessToken(
self.new_id,
person,
access_method,
access_url)
access_token.validate()
self.tic()
response = self.publish('/%s/Base_getUserCaption?%s' % (
self.portal.getId(),
urllib.urlencode({
'access_token': access_token.getId(),
'access_token_secret': access_token.getReference()})))
self.assertEqual(response.getStatus(), httplib.OK)
# XXX caption currently shows plugin id and relative URL of the token,
# that's not ideal.
self.assertEqual(
response.getBody(),
'erp5_access_token_plugin=%s' % access_token.getRelativeUrl())
def test_bad_token(self): def test_bad_token(self):
person = self._createPerson(self.new_id) person = self._createPerson(self.new_id)
access_url = "http://exemple.com/foo" access_url = "http://exemple.com/foo"
......
...@@ -190,6 +190,9 @@ class TestGoogleLogin(GoogleLoginTestCase): ...@@ -190,6 +190,9 @@ class TestGoogleLogin(GoogleLoginTestCase):
self.assertEqual(person.getUserId(), user_id) self.assertEqual(person.getUserId(), user_id)
self.assertEqual(getUserId(None), login) self.assertEqual(getUserId(None), login)
self.login(user_id)
self.assertEqual(self.portal.Base_getUserCaption(), login)
def test_auth_cookie(self): def test_auth_cookie(self):
request = self.portal.REQUEST request = self.portal.REQUEST
response = request.RESPONSE response = request.RESPONSE
......
# Proxy roles: Manager in case user cannot access their own document. return context.getPortalObject().portal_membership.getAuthenticatedMember().getUserName()
user = context.getPortalObject().portal_membership.getAuthenticatedMember() \ No newline at end of file
user_value = user.getUserValue()
try:
return user_value.getReference()
except AttributeError:
return user.getId()
...@@ -52,14 +52,6 @@ ...@@ -52,14 +52,6 @@
<key> <string>_params</string> </key> <key> <string>_params</string> </key>
<value> <string></string> </value> <value> <string></string> </value>
</item> </item>
<item>
<key> <string>_proxy_roles</string> </key>
<value>
<tuple>
<string>Manager</string>
</tuple>
</value>
</item>
<item> <item>
<key> <string>id</string> </key> <key> <string>id</string> </key>
<value> <string>Base_getUserCaption</string> </value> <value> <string>Base_getUserCaption</string> </value>
......
...@@ -914,9 +914,6 @@ class TestUserManagementExternalAuthentication(TestUserManagement): ...@@ -914,9 +914,6 @@ class TestUserManagementExternalAuthentication(TestUserManagement):
""" """
_, login, _ = self._makePerson() _, login, _ = self._makePerson()
pas_user, = self.portal.acl_users.searchUsers(login=login, exact_match=True)
reference = self.portal.restrictedTraverse(pas_user['path']).getReference()
base_url = self.portal.absolute_url(relative=1) base_url = self.portal.absolute_url(relative=1)
# without key we are Anonymous User so we should be redirected with proper HTML # without key we are Anonymous User so we should be redirected with proper HTML
...@@ -931,7 +928,8 @@ class TestUserManagementExternalAuthentication(TestUserManagement): ...@@ -931,7 +928,8 @@ class TestUserManagementExternalAuthentication(TestUserManagement):
# view front page we should be logged in if we use authentication key # view front page we should be logged in if we use authentication key
response = self.publish(base_url, env={self.user_id_key.replace('-', '_').upper(): login}) response = self.publish(base_url, env={self.user_id_key.replace('-', '_').upper(): login})
self.assertEqual(response.getStatus(), 200) self.assertEqual(response.getStatus(), 200)
self.assertTrue(reference in response.getBody()) self.assertIn('Logged In', response.getBody())
self.assertIn(login, response.getBody())
class TestLocalRoleManagement(RoleManagementTestCase): class TestLocalRoleManagement(RoleManagementTestCase):
...@@ -1466,3 +1464,19 @@ class TestReindexObjectSecurity(UserManagementTestCase): ...@@ -1466,3 +1464,19 @@ class TestReindexObjectSecurity(UserManagementTestCase):
check(['immediateReindexObject'] * (len(person) + 1)) check(['immediateReindexObject'] * (len(person) + 1))
self.tic() self.tic()
class TestUserCaption(UserManagementTestCase):
def test_zodb_user(self):
self.login()
self.assertEqual(self.portal.Base_getUserCaption(), 'ERP5TypeTestCase')
def test_anonymous_user(self):
self.logout()
self.assertEqual(self.portal.Base_getUserCaption(), 'Anonymous User')
def test_erp5_login(self):
user_id, login, _ = self._makePerson()
self.tic()
self.login(user_id)
self.assertEqual(self.portal.Base_getUserCaption(), login)
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment