Add _setPasswordByForce method which does not check permission.

Add permission check in _setPassword in order to protect changing
password without security check through edit method.


git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@26768 20353a03-c40f-0410-a6d1-a30d3c3de9de

product/ERP5/Document/Person.py

@@ -203,18 +203,26 @@ class Person(XMLObject):
       self._setEncodedPassword(value, format=format)
       self.reindexObject()
 
-    def _setPassword(self, value):
+    # Because both _setPassword and setPassword are considered as
+    # public method(They are callable from user directly or through edit method)
+    # _setPasswordByForce is needed to reset password without security check
+    # by Password Tool.
+    def _setPasswordByForce(self, value):
       self.password = PersistentMapping()
       self._setEncodedPassword(pw_encrypt(value))
 
+    def _setPassword(self, value):
+      if not _checkPermission(Permissions.SetOwnPassword, self):
+        raise AccessControl_Unauthorized('setPassword')
+      else:
+        self._setPasswordByForce(value)
+
     security.declarePublic('setPassword')
     def setPassword(self, value) :
       """
         Set the password, only if the password is not empty.
       """
       if value is not None:
-        if not _checkPermission(Permissions.SetOwnPassword, self):
-          raise AccessControl_Unauthorized('setPassword')
         self._setPassword(value)
         self.reindexObject()