access_token: don't allow RestrictedAccessToken without another login

This keep the current behavior. Invalidating all logins is also a way to disable login for this user without having to find all tokens and invalidate them one by one

access_token: don't allow RestrictedAccessToken without another login
This keep the current behavior. Invalidating all logins is also a way to disable login for this user without having to find all tokens and invalidate them one by one
6f1656c9 · Jérome Perrin · 1008f619 · 6f1656c9 · 6f1656c9
Commit 6f1656c9 authored Mar 01, 2019 by Jérome Perrin
2 changed files
--- a/bt5/erp5_access_token/SkinTemplateItem/portal_skins/erp5_access_token/RestrictedAccessToken_getUserId.py
+++ b/bt5/erp5_access_token/SkinTemplateItem/portal_skins/erp5_access_token/RestrictedAccessToken_getUserId.py
@@ -24,7 +24,8 @@ if access_token_document.getValidationState() == 'validated':
    if agent_document is not None:
      if agent_document.getPortalType() == 'Person':
        # if this is a token for a person, only make accept if person has valid
-        # assignments (for compatibility with login/password authentication)
+        # assignments and a validated login (for compatibility with login/password
+        # authentication)
        if agent_document.getValidationState() == 'deleted':
          return None
        now = DateTime()
@@ -37,6 +38,12 @@ if access_token_document.getValidationState() == 'validated':
            break
        else:
          return None
+        for login in agent_document.contentValues(
+            portal_type=context.getPortalObject().getPortalLoginTypeList()):
+          if login.getValidationState() == 'validated':
+            break
+        else:
+          return None
      result = agent_document.Person_getUserId()

 return result
--- a/bt5/erp5_access_token/TestTemplateItem/portal_components/test.erp5.testERP5AccessToken.py
+++ b/bt5/erp5_access_token/TestTemplateItem/portal_components/test.erp5.testERP5AccessToken.py
@@ -49,6 +49,7 @@ class AccessTokenTestCase(ERP5TypeTestCase):
    person = person_module.newContent(portal_type='Person',
      reference='TESTP-' + new_id)
    person.newContent(portal_type='Assignment').open()
+    person.newContent(portal_type='ERP5 Login', reference=new_id).validate()
    self.tic()
    return person

@@ -157,6 +158,28 @@ class TestERP5AccessTokenSkins(AccessTokenTestCase):
    result = self._getTokenCredential(self.portal.REQUEST)
    self.assertFalse(result)

+  def test_token_without_login(self):
+    # Token does not work when person has no validated login
+    person = self._createPerson(self.new_id)
+    for login in person.contentValues(portal_type='ERP5 Login'):
+      login.invalidate()
+    access_url = "http://exemple.com/foo"
+    access_method = "GET"
+    access_token = self._createRestrictedAccessToken(self.new_id,
+                        person,
+                        access_method,
+                        access_url)
+    access_token.validate()
+    self.tic()
+
+    self.portal.REQUEST.form["access_token"] = access_token.getId()
+    self.portal.REQUEST["REQUEST_METHOD"] = access_method
+    self.portal.REQUEST["ACTUAL_URL"] = access_url
+    self.portal.REQUEST.form["access_token_secret"] = access_token.getReference()
+
+    result = self._getTokenCredential(self.portal.REQUEST)
+    self.assertFalse(result)
+
  def test_RestrictedAccessToken_getUserId(self):
    person = self._createPerson(self.new_id)
    access_url = "http://exemple.com/foo"