authentication_policy: do not depend on immediate reindex

Instead of forcing immediate reindex of password reset event, we can
create the document with a given activity tag, then if we find
activities with this tag, we can assume password reset was just created.

authentication_policy already uses this pattern for
Login_notifyLoginFailure and Login_isLoginBlocked

bt5/erp5_authentication_policy/SkinTemplateItem/portal_skins/erp5_authentication_policy/Login_isPasswordExpired.py

@@ -7,18 +7,22 @@ from Products.ERP5Type.Cache import CachingMethod
 request = context.REQUEST
 portal = context.getPortalObject()
 
-def _isPasswordExpired():
+def _isPasswordExpired(username):
   from DateTime import DateTime
   one_hour = 1/24.0
   now = DateTime()
   max_password_lifetime_duration = portal.portal_preferences.getPreferredMaxPasswordLifetimeDuration()
   password_lifetime_expire_warning_duration = portal.portal_preferences.getPreferredPasswordLifetimeExpireWarningDuration()
+  expire_date_warning = 0
+  # if password was just changed, login is not expired
+  # ( password_interaction_workflow/scripts/afterChangePassword reindexes with this tag)
+  if portal.portal_activities.countMessageWithTag('password_event_%s' % username):
+    return False, expire_date_warning
   last_password_event = portal.portal_catalog.getResultValue(
                                                 portal_type = 'Password Event',
                                                 default_destination_uid = context.getUid(),
                                                 validation_state = 'confirmed',
                                                 sort_on = (('creation_date', 'DESC',),))
-  expire_date_warning = 0 
   if last_password_event is not None:
     last_password_modification_date = last_password_event.getCreationDate()
     expire_date = last_password_modification_date + max_password_lifetime_duration*one_hour 
@@ -34,9 +38,9 @@ def _isPasswordExpired():
   return False, expire_date_warning
 
 _isPasswordExpired = CachingMethod(_isPasswordExpired,
-                                   id='Person_isPasswordExpired_%s' %context.getReference(),
+                                   id='Person_isPasswordExpired',
                                    cache_factory='erp5_content_short')
-is_password_expired, expire_date = _isPasswordExpired()
+is_password_expired, expire_date = _isPasswordExpired(context.getReference())
 
 request.set('is_user_account_password_expired', is_password_expired)
 request.set('is_user_account_password_expired_expire_date', expire_date)

bt5/erp5_authentication_policy/WorkflowTemplateItem/portal_workflow/password_interaction_workflow/scripts/afterChangePassword.py

@@ -13,6 +13,6 @@ if portal.portal_preferences.getPreferredNumberOfLastPasswordToCheck() or \
                                                            destination_value=login,
                                                            password=current_password)
     password_event.confirm()
-    # Person_isPasswordExpired cache the wrong result if document is not in catalog.
-    # As the document is created in the same transaction, it is possible to force reindexation
-    password_event.immediateReindexObject()
+    # reindex with a tag that will be checked in Login_isPasswordExpired
+    password_event.reindexObject(
+        activate_kw={'tag': 'password_event_%s' % login.getReference()})