base: better handling of passwords not set

When users with no password set try to login, this should be refused. It was not possible to login but because of an error (pw_validate does not support to be called with None). The error was catched by PAS and logged with level debug, so we did not notice. These changes are mostly about covering this in a test to make sure this does not regress and we also change the code not to raise the error.

base: better handling of passwords not set
When users with no password set try to login, this should be refused. It was not possible to login but because of an error (pw_validate does not support to be called with None). The error was catched by PAS and logged with level debug, so we did not notice. These changes are mostly about covering this in a test to make sure this does not regress and we also change the code not to raise the error.
8dec679c · Jérome Perrin · a2eb17cb · 8dec679c · 8dec679c
Commit 8dec679c authored Feb 01, 2022 by Jérome Perrin
Showing with 18 additions and 4 deletions

product/ERP5Security/ERP5LoginUserManager.py product/ERP5Security/ERP5LoginUserManager.py +4 -4

product/ERP5Security/tests/testERP5Security.py product/ERP5Security/tests/testERP5Security.py +14 -0

No files found.
--- a/product/ERP5Security/ERP5LoginUserManager.py
+++ b/product/ERP5Security/ERP5LoginUserManager.py
@@ -127,10 +127,10 @@ class ERP5LoginUserManager(BasePlugin):
    is_authentication_policy_enabled = self.getPortalObject().portal_preferences.isAuthenticationPolicyEnabled()
    if check_password:
      password = credentials.get('password')
-      if not password or not pw_validate(
+      login_password = login_value.getPassword()
-        login_value.getPassword(),
+      if (not password
-        password,
+          or login_password is None
-      ):
+          or not pw_validate(login_password, password)):
        if is_authentication_policy_enabled:
          login_value.notifyLoginFailure()
        return

--- a/product/ERP5Security/tests/testERP5Security.py
+++ b/product/ERP5Security/tests/testERP5Security.py
@@ -372,6 +372,20 @@ class TestUserManagement(UserManagementTestCase):
    self._assertUserDoesNotExists(login, 'None')
    self._assertUserDoesNotExists(login, '')
+  def test_PersonWithLoginWithoutPasswordAreNotUsers(self):
+    """Tests a person with a login but no password set is not a valid user."""
+    # similar to _makePerson, but not passing password= to newContent
+    login = 'login_%s' % self._login_generator()
+    new_person = self.portal.person_module.newContent(portal_type='Person')
+    new_person.newContent(portal_type='Assignment').open()
+    new_person.newContent(
+        portal_type='ERP5 Login',
+        reference=login,
+    ).validate()
+    self.tic()
+    self._assertUserDoesNotExists(login, '')
+    self._assertUserDoesNotExists(login, 'None')
  def test_PersonWithEmptyLoginAreNotUsers(self):
    """Tests a person with empty login & password is not a valid user."""
    _, login, _ = self._makePerson()