password_tool: check password reset matches the policy

e9eb39b4 · Jérome Perrin · 885dca4a · e9eb39b4 · e9eb39b4
Commit e9eb39b4 authored Jan 12, 2017 by Jérome Perrin
Hide whitespace changes
Inline Side-by-side

Showing with 60 additions and 3 deletions

product/ERP5/Tool/PasswordTool.py product/ERP5/Tool/PasswordTool.py +9 -3

product/ERP5/tests/testAuthenticationPolicy.py product/ERP5/tests/testAuthenticationPolicy.py +51 -0

No files found.
--- a/product/ERP5/Tool/PasswordTool.py
+++ b/product/ERP5/Tool/PasswordTool.py
@@ -243,9 +243,15 @@ class PasswordTool(BaseTool):
        password_key]
    except KeyError:
      return []
-    user_list = portal.acl_users.erp5_users.getUserByLogin(register_user_login)
-    if user_list:
-      return user_list[0].analyzePassword(password)
+    user_dict_list = portal.acl_users.searchUsers(
+      login=register_user_login,
+      exact_match=True,
+    )
+    if user_dict_list:
+      user_dict, = user_dict_list
+      login_dict, = user_dict['login_list']
+      login = portal.unrestrictedTraverse(login_dict['path'])
+      return login.analyzePassword(password)
    return []

  security.declarePublic('changeUserPassword')

--- a/product/ERP5/tests/testAuthenticationPolicy.py
+++ b/product/ERP5/tests/testAuthenticationPolicy.py
@@ -742,9 +742,60 @@ class TestAuthenticationPolicy(ERP5TypeTestCase):
                                                 default_destination_uid = login.getUid(),
                                                 validation_state = "expired")))

+  def test_PasswordTool_resetPassword_checks_policy(self):
+    person = self.createUser(
+      self.id(),
+      password='current',
+      person_kw={'first_name': 'Alice'})
+    person.newContent(portal_type = 'Assignment').open()
+    login = person.objectValues(portal_type='ERP5 Login')[0]
+    preference = self.portal.portal_catalog.getResultValue(
+      portal_type='System Preference',
+      title='Authentication',)
    # Here we activate the "password should contain usename" policy
    # as a way to check that password reset checks are done in the
    # context of the login
+    preference.setPrefferedForceUsernameCheckInPassword(1)
+    self._clearCache()
+    self.tic()
+
+    reset_key = self.portal.portal_password.getResetPasswordKey(user_login=self.id())
+    ret = self.publish(
+      '%s/portal_password' % self.portal.getPath(),
+      stdin=StringIO(urllib.urlencode({
+        'Base_callDialogMethod:method': '',
+        'dialog_id': 'PasswordTool_viewResetPassword',
+        'dialog_method': 'PasswordTool_changeUserPassword',
+        'field_user_login': self.id(),
+        'field_your_password': 'alice',
+        'field_password_confirm': 'alice',
+        'field_your_password_key': reset_key,
+      })),
+      request_method="POST",
+      handle_errors=False)
+    self.assertEqual(httplib.OK, ret.getStatus())
+    self.assertIn(
+      '<span class="error">You can not use any parts of your '
+      'first and last name in password.</span>',
+      ret.getBody())
+
+    # now with a password complying to the policy
+    ret = self.publish(
+      '%s/portal_password' % self.portal.getPath(),
+      stdin=StringIO(urllib.urlencode({
+        'Base_callDialogMethod:method': '',
+        'dialog_id': 'PasswordTool_viewResetPassword',
+        'dialog_method': 'PasswordTool_changeUserPassword',
+        'field_user_login': self.id(),
+        'field_your_password': 'ok',
+        'field_password_confirm': 'ok',
+        'field_your_password_key': reset_key,
+      })),
+      request_method="POST",
+      handle_errors=False)
+    self.assertEqual(httplib.FOUND, ret.getStatus())
+    self.assertTrue(ret.getHeader('Location').endswith(
+    '/login_form?portal_status_message=Password+changed.'))

  def test_PreferenceTool_changePassword_checks_policy(self):
    person = self.createUser(self.id(), password='current')