Fix AccessToken login with ERP5 Login

Backport final state of nexedi/erp5!838 API changed a bit after first backport in https://lab.nexedi.com/nexedi/erp5-capago/merge_requests/37

/reviewed-on https://lab.nexedi.com/nexedi/erp5-capago/merge_requests/38

bt5/erp5_access_token/SkinTemplateItem/portal_skins/erp5_access_token/AccessToken_getUserId.xml → bt5/erp5_access_token/SkinTemplateItem/portal_skins/erp5_access_token/AccessToken_getUserValue.xml

@@ -54,7 +54,7 @@
         </item>
         <item>
             <key> <string>id</string> </key>
-            <value> <string>AccessToken_getUserId</string> </value>
+            <value> <string>AccessToken_getUserValue</string> </value>
         </item>
       </dictionary>
     </pickle>

bt5/erp5_access_token/SkinTemplateItem/portal_skins/erp5_access_token/OneTimeRestrictedAccessToken_getUserId.py → bt5/erp5_access_token/SkinTemplateItem/portal_skins/erp5_access_token/OneTimeRestrictedAccessToken_getUserValue.py

@@ -14,7 +14,7 @@ if access_token_document.getValidationState() == 'validated':
 
     agent_document = access_token_document.getAgentValue()
     if agent_document is not None:
-      result = agent_document.Person_getUserId()
+      result = agent_document
       comment = "Token usage accepted"
 
   access_token_document.invalidate(comment=comment)

bt5/erp5_access_token/SkinTemplateItem/portal_skins/erp5_access_token/OneTimeRestrictedAccessToken_getUserId.xml → bt5/erp5_access_token/SkinTemplateItem/portal_skins/erp5_access_token/OneTimeRestrictedAccessToken_getUserValue.xml

@@ -54,7 +54,7 @@
         </item>
         <item>
             <key> <string>id</string> </key>
-            <value> <string>OneTimeRestrictedAccessToken_getUserId</string> </value>
+            <value> <string>OneTimeRestrictedAccessToken_getUserValue</string> </value>
         </item>
       </dictionary>
     </pickle>

bt5/erp5_access_token/SkinTemplateItem/portal_skins/erp5_access_token/RestrictedAccessToken_getUserId.py → bt5/erp5_access_token/SkinTemplateItem/portal_skins/erp5_access_token/RestrictedAccessToken_getUserValue.py

@@ -24,7 +24,8 @@ if access_token_document.getValidationState() == 'validated':
     if agent_document is not None:
       if agent_document.getPortalType() == 'Person':
         # if this is a token for a person, only make accept if person has valid
-        # assignments (for compatibility with login/password authentication)
+        # assignments and a validated login (for compatibility with login/password
+        # authentication)
         if agent_document.getValidationState() == 'deleted':
           return None
         now = DateTime()
@@ -37,6 +38,13 @@ if access_token_document.getValidationState() == 'validated':
             break
         else:
           return None
-      result = agent_document.Person_getUserId()
+
+        user, = context.getPortalObject().acl_users.searchUsers(
+            exact_match=True,
+            id=agent_document.Person_getUserId())
+        if not user['login_list']:
+          return None
+
+      result = agent_document
 
 return result

bt5/erp5_access_token/SkinTemplateItem/portal_skins/erp5_access_token/RestrictedAccessToken_getUserId.xml → bt5/erp5_access_token/SkinTemplateItem/portal_skins/erp5_access_token/RestrictedAccessToken_getUserValue.xml

@@ -54,7 +54,7 @@
         </item>
         <item>
             <key> <string>id</string> </key>
-            <value> <string>RestrictedAccessToken_getUserId</string> </value>
+            <value> <string>RestrictedAccessToken_getUserValue</string> </value>
         </item>
       </dictionary>
     </pickle>

product/ERP5Security/ERP5AccessTokenExtractionPlugin.py

@@ -67,10 +67,7 @@ class ERP5AccessTokenExtractionPlugin(BasePlugin):
     if token:
       creds['erp5_access_token_id'] = token
       creds['remote_host'] = request.get('REMOTE_HOST', '')
-      try:
       creds['remote_address'] = request.getClientAddr()
-      except AttributeError:
-        creds['remote_address'] = request.get('REMOTE_ADDR', '')
     return creds
 
   #######################
@@ -84,23 +81,12 @@ class ERP5AccessTokenExtractionPlugin(BasePlugin):
       erp5_access_token_id = credentials['erp5_access_token_id']
       token_document = self.getPortalObject().access_token_module.\
                      _getOb(erp5_access_token_id, None)
-      # Access Token should be validated
-      # Check restricted access of URL
-      # Extract login information
       if token_document is not None:
-        # Token API changed from returning a login to returning a user id.
-        # We detect if the old way of configuration is still in place and
-        # advise that configuration has to be updated in that case.
-        method = token_document._getTypeBasedMethod('getExternalLogin')
-        assert method is None, "Please update and remove obsolete method %r" % method
-
-        user_id = None
-        method = token_document._getTypeBasedMethod('getUserId')
+        method = token_document._getTypeBasedMethod('getUserValue')
         if method is not None:
-          user_id = method()
-
-        if user_id is not None:
-          return (user_id, 'token {erp5_access_token_id} for {user_id}'.format(**locals()))
+          user_value = method()
+          if user_value is not None:
+            return (user_value.getUserId(), token_document.getRelativeUrl())
 
 
 #Form for new plugin in ZMI