make 'System Processes' a virtual ERP5 user.

This commit fixes the regression in 4b16e1dd where python scripts
generated by alarm, that can happen with upgrader, will be executed as
Anonymous because it's owner does not exist.

product/CMFActivity/ActivityTool.py

@@ -245,22 +245,23 @@ class Message(BaseMessage):
     portal = activity_tool.getPortalObject()
     portal_uf = portal.acl_users
     uf = portal_uf
-    user = uf.getUserById(user_name)
-    # if the user is not found, try to get it from a parent acl_users
-    # XXX this is still far from perfect, because we need to store all
-    # information about the user (like original user folder, roles) to
-    # replay the activity with exactly the same security context as if
-    # it had been executed without activity.
-    if user is None:
-      uf = portal.aq_parent.acl_users
-      user = uf.getUserById(user_name)
-    if user is None and user_name == system_user.getUserName():
+    if user_name == system_user.getUserName():
       # The following logic partly comes from unrestricted_apply()
       # implementation in ERP5Type.UnrestrictedMethod but we get roles
       # from the portal to have more roles.
       uf = portal_uf
       role_list = uf.valid_roles()
       user = PrivilegedUser(user_name, None, role_list, ()).__of__(uf)
+    else:
+      user = uf.getUserById(user_name)
+      # if the user is not found, try to get it from a parent acl_users
+      # XXX this is still far from perfect, because we need to store all
+      # information about the user (like original user folder, roles) to
+      # replay the activity with exactly the same security context as if
+      # it had been executed without activity.
+      if user is None:
+        uf = portal.aq_parent.acl_users
+        user = uf.getUserById(user_name)
     if user is not None:
       user = user.__of__(uf)
       newSecurityManager(None, user)

product/ERP5Security/ERP5UserFactory.py

@@ -18,6 +18,7 @@
 from Products.ERP5Type.Globals import InitializeClass
 from Acquisition import aq_inner, aq_parent
 from AccessControl import ClassSecurityInfo
+from AccessControl.User import system as system_user
 from Products.PageTemplates.PageTemplateFile import PageTemplateFile
 from App.config import getConfiguration
 from Products.PluggableAuthService.plugins.BasePlugin import BasePlugin
@@ -102,7 +103,7 @@ class ERP5User(PropertiedUser):
       As for getRolesInContext, we take into account _getAcquireLocalRoles for
       ERP5.
       """
-      if self.getUserName() == SUPER_USER:
+      if self.getUserName() in (SUPER_USER, system_user.getUserName()):
         # super user is allowed to accesss any object
         return 1
 

product/ERP5Security/ERP5UserManager.py

@@ -20,6 +20,7 @@ from AccessControl import ClassSecurityInfo
 from AccessControl.AuthEncoding import pw_validate
 from AccessControl.SecurityManagement import getSecurityManager,\
     setSecurityManager, newSecurityManager
+from AccessControl.User import system as system_user
 from Products.PageTemplates.PageTemplateFile import PageTemplateFile
 from Products.PluggableAuthService.PluggableAuthService import \
     _SWALLOWABLE_PLUGIN_EXCEPTIONS
@@ -124,7 +125,7 @@ class ERP5UserManager(BasePlugin):
           login = credentials.get('external_login')
           ignore_password = True
         # Forbidden the usage of the super user.
-        if login == SUPER_USER:
+        if login in (SUPER_USER, system_user.getUserName()):
           return None
 
         @UnrestrictedMethod
@@ -224,9 +225,9 @@ class ERP5UserManager(BasePlugin):
 
         id_list = []
         for user_id in id:
-          if SUPER_USER == user_id:
-            info = { 'id' : SUPER_USER
-                    , 'login' : SUPER_USER
+          if user_id in (SUPER_USER, system_user.getUserName()):
+            info = { 'id' : user_id
+                    , 'login' : user_id
                     , 'pluginid' : plugin_id
                     }
             user_info.append(info)

product/ERP5Security/tests/testERP5Security.py

@@ -219,6 +219,16 @@ class TestUserManagement(ERP5TypeTestCase):
     from Products.ERP5Security.ERP5UserManager import SUPER_USER
     self._assertUserDoesNotExists(SUPER_USER, '')
 
+  def test_PersonWithSystemProcessesLoginCannotBeCreated(self):
+    """Tests one cannot create person with the "super user" special login."""
+    from AccessControl.User import system as system_user
+    self.assertRaises(RuntimeError, self._makePerson, reference=system_user.getUserName())
+
+  def test_PersonWithSystemProcessesLogin(self):
+    """Tests one cannot use the "super user" special login."""
+    from AccessControl.User import system as system_user
+    self._assertUserDoesNotExists(system_user.getUserName(), '')
+
   def test_searchUsers(self):
     p1 = self._makePerson(reference='person1')
     p2 = self._makePerson(reference='person2')
@@ -402,6 +412,30 @@ class TestUserManagement(ERP5TypeTestCase):
     self.tic()
     self.assertEqual(None, person.getReference())
 
+  def test_scriptGenerationByAlarm(self):
+    """Make sure a script generated by alarm can be executed"""
+    self.portal = self.getPortal()
+    # create a security configuration script
+    skin_folder = self.portal.portal_skins.custom
+    if 'test_python_script' not in skin_folder.objectIds():
+      createZODBPythonScript(
+        skin_folder, 'test_alarm_script', '',
+        """
+script_id='test_python_script'
+script_params=''
+script_content='return context.getPortalObject().person_module.newContent().getId()'
+if getattr(container, script_id, None) is None:
+  container.manage_addProduct['PythonScripts'].manage_addPythonScript(id=script_id)
+  script = container[script_id]
+  script.ZPythonScript_edit(script_params, script_content)
+        """)
+    alarm = self.portal.portal_alarms.newContent(
+      active_sense_method_id='test_alarm_script'
+      )
+    alarm.activeSense()
+    self.tic()
+    self.assertTrue(self.portal.test_python_script() is not None)
+
 class TestUserManagementExternalAuthentication(TestUserManagement):
   def getTitle(self):
     """Title of the test."""