Commit 66ee1d93 authored by Yusei Tahara's avatar Yusei Tahara

Add _setPasswordByForce method which does not check permission.

Add permission check in _setPassword in order to protect changing
password without security check through edit method.


git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@26768 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent 09838d78
...@@ -203,18 +203,26 @@ class Person(XMLObject): ...@@ -203,18 +203,26 @@ class Person(XMLObject):
self._setEncodedPassword(value, format=format) self._setEncodedPassword(value, format=format)
self.reindexObject() self.reindexObject()
def _setPassword(self, value): # Because both _setPassword and setPassword are considered as
# public method(They are callable from user directly or through edit method)
# _setPasswordByForce is needed to reset password without security check
# by Password Tool.
def _setPasswordByForce(self, value):
self.password = PersistentMapping() self.password = PersistentMapping()
self._setEncodedPassword(pw_encrypt(value)) self._setEncodedPassword(pw_encrypt(value))
def _setPassword(self, value):
if not _checkPermission(Permissions.SetOwnPassword, self):
raise AccessControl_Unauthorized('setPassword')
else:
self._setPasswordByForce(value)
security.declarePublic('setPassword') security.declarePublic('setPassword')
def setPassword(self, value) : def setPassword(self, value) :
""" """
Set the password, only if the password is not empty. Set the password, only if the password is not empty.
""" """
if value is not None: if value is not None:
if not _checkPermission(Permissions.SetOwnPassword, self):
raise AccessControl_Unauthorized('setPassword')
self._setPassword(value) self._setPassword(value)
self.reindexObject() self.reindexObject()
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment