erp5_authentication_policy: force user to change password if not yet do

See merge request nexedi/erp5!1196

erp5_authentication_policy: force user to change password if not yet do
See merge request nexedi/erp5!1196
2e8c2ad1 · Xiaowu Zhang · e2f46ae8 · 6a44a135 · 2e8c2ad1 · 2e8c2ad1
Commit 2e8c2ad1 authored Jul 15, 2020 by Xiaowu Zhang
2 changed files
--- a/bt5/erp5_authentication_policy/SkinTemplateItem/portal_skins/erp5_authentication_policy/Login_isPasswordExpired.py
+++ b/bt5/erp5_authentication_policy/SkinTemplateItem/portal_skins/erp5_authentication_policy/Login_isPasswordExpired.py
@@ -25,6 +25,13 @@ if password_event_list:
    password_lifetime_expire_warning_duration = portal_preferences.getPreferredPasswordLifetimeExpireWarningDuration()
    if password_lifetime_expire_warning_duration and now > expire_date - password_lifetime_expire_warning_duration * ONE_HOUR:
      expire_date_warning = expire_date
+else:
+  # No Password Event found means user doesn't yet change password
+  # Force user to change it if authentication policy is configured
+  if portal.portal_preferences.getPreferredMaxPasswordLifetimeDuration() is not None:
+    if context.getPassword():
+      is_password_expired = True
+
 request = portal.REQUEST
 request.set('is_user_account_password_expired', is_password_expired)
 request.set('is_user_account_password_expired_expire_date', expire_date_warning)

--- a/product/ERP5/tests/testAuthenticationPolicy.py
+++ b/product/ERP5/tests/testAuthenticationPolicy.py
@@ -132,6 +132,7 @@ class TestAuthenticationPolicy(ERP5TypeTestCase):
                              reference=username,
                              password=password)
    login.validate()
+    self.tic()
    return person

  def test_BlockLogin(self):
@@ -545,14 +546,32 @@ class TestAuthenticationPolicy(ERP5TypeTestCase):
    self.assertTrue(portal.portal_preferences.isAuthenticationPolicyEnabled())
    preference = portal.portal_catalog.getResultValue(portal_type = 'System Preference',
                                                      title = 'Authentication',)
-    preference.setPreferredMaxPasswordLifetimeDuration(24)
+    # No password event will be created for such configuration
+    preference.setPreferredNumberOfLastPasswordToCheck(0)
+    preference.setPreferredMaxPasswordLifetimeDuration(None)
    self.tic()
    self._clearCache()

    person = self.createUser('test-04',
                             password='used_ALREADY_1234')
    login = person.objectValues(portal_type='ERP5 Login')[0]
+    self.assertEqual(login.getDestinationRelatedValue(portal_type='Password Event'), None)
+    self.assertFalse(login.isPasswordExpired())
+    self.assertFalse(request['is_user_account_password_expired'])

+    # password is expired if no passwor event
+    preference.setPreferredMaxPasswordLifetimeDuration(24)
+    self.tic()
+    self._clearCache()
+    self.assertEqual(login.getDestinationRelatedValue(portal_type='Password Event'), None)
+    self.assertTrue(login.isPasswordExpired())
+    self.assertTrue(request['is_user_account_password_expired'])
+
+    # now set password to trigger password event creation
+    login.setPassword('used_ALREADY_1234')
+    self.tic()
+    self._clearCache()
+    self.assertTrue(login.getDestinationRelatedValue(portal_type='Password Event') is not None)
    self.assertFalse(login.isPasswordExpired())
    self.assertFalse(request['is_user_account_password_expired'])