core: display login in caption

user_id are technical things that should not be displayed to users. In the case of tokens, for now we show "something that's not user id / not the token secret". That's not ideal but as far as I know whe don't really have use cases of tokens to show a page where user caption would be displayed.

core: display login in caption
user_id are technical things that should not be displayed to users. In the case of tokens, for now we show "something that's not user id / not the token secret". That's not ideal but as far as I know whe don't really have use cases of tokens to show a page where user caption would be displayed.
780a2570 · Jérome Perrin · 714520cf · 780a2570 · 780a2570 · 780a2570
Commit 780a2570 authored Aug 14, 2020 by Jérome Perrin
5 changed files
--- a/bt5/erp5_access_token/TestTemplateItem/portal_components/test.erp5.testERP5AccessToken.py
+++ b/bt5/erp5_access_token/TestTemplateItem/portal_components/test.erp5.testERP5AccessToken.py
@@ -31,6 +31,8 @@ from ZPublisher.HTTPRequest import HTTPRequest
 from ZPublisher.HTTPResponse import HTTPResponse
 from Products.PluggableAuthService.interfaces.plugins import IAuthenticationPlugin
 from DateTime import DateTime
+import urllib
+import httplib
 import base64
 import StringIO
 import mock
@@ -124,6 +126,30 @@ class TestERP5AccessTokenSkins(AccessTokenTestCase):
    # this is also what will appear in Z2.log
    _setUserNameForAccessLog.assert_called_once_with(login, self.portal.REQUEST)

+  def test_user_caption(self):
+    person = self._createPerson(self.new_id)
+    access_url = "%s/Base_getUserCaption" % self.portal.absolute_url()
+    access_method = "GET"
+    access_token = self._createRestrictedAccessToken(
+        self.new_id,
+        person,
+        access_method,
+        access_url)
+    access_token.validate()
+    self.tic()
+
+    response = self.publish('/%s/Base_getUserCaption?%s' % (
+        self.portal.getId(),
+        urllib.urlencode({
+            'access_token': access_token.getId(),
+            'access_token_secret': access_token.getReference()})))
+    self.assertEqual(response.getStatus(), httplib.OK)
+    # XXX caption currently shows plugin id and relative URL of the token,
+    # that's not ideal.
+    self.assertEqual(
+        response.getBody(),
+        'erp5_access_token_plugin=%s' % access_token.getRelativeUrl())
+
  def test_bad_token(self):
    person = self._createPerson(self.new_id)
    access_url = "http://exemple.com/foo"

--- a/bt5/erp5_oauth_google_login/TestTemplateItem/portal_components/test.erp5.testGoogleLogin.py
+++ b/bt5/erp5_oauth_google_login/TestTemplateItem/portal_components/test.erp5.testGoogleLogin.py
@@ -190,6 +190,9 @@ class TestGoogleLogin(GoogleLoginTestCase):
    self.assertEqual(person.getUserId(), user_id)
    self.assertEqual(getUserId(None), login)

+    self.login(user_id)
+    self.assertEqual(self.portal.Base_getUserCaption(), login)
+
  def test_auth_cookie(self):
    request = self.portal.REQUEST
    response = request.RESPONSE

--- a/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/Base_getUserCaption.py
+++ b/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/Base_getUserCaption.py
-# Proxy roles: Manager in case user cannot access their own document.
-user = context.getPortalObject().portal_membership.getAuthenticatedMember()
-user_value = user.getUserValue()
-try:
-  return user_value.getReference()
-except AttributeError:
-  return user.getId()
+return context.getPortalObject().portal_membership.getAuthenticatedMember().getUserName()
\ No newline at end of file
--- a/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/Base_getUserCaption.xml
+++ b/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/Base_getUserCaption.xml
@@ -52,14 +52,6 @@
            <key> <string>_params</string> </key>
            <value> <string></string> </value>
        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
-        </item>
        <item>
            <key> <string>id</string> </key>
            <value> <string>Base_getUserCaption</string> </value>

--- a/product/ERP5Security/tests/testERP5Security.py
+++ b/product/ERP5Security/tests/testERP5Security.py
@@ -811,9 +811,6 @@ class TestUserManagementExternalAuthentication(TestUserManagement):
    """

    _, login, _ = self._makePerson()
-    pas_user, = self.portal.acl_users.searchUsers(login=login, exact_match=True)
-    reference = self.portal.restrictedTraverse(pas_user['path']).getReference()
-
    base_url = self.portal.absolute_url(relative=1)

    # without key we are Anonymous User so we should be redirected with proper HTML
@@ -828,7 +825,8 @@ class TestUserManagementExternalAuthentication(TestUserManagement):
    # view front page we should be logged in if we use authentication key
    response = self.publish(base_url, env={self.user_id_key.replace('-', '_').upper(): login})
    self.assertEqual(response.getStatus(), 200)
-    self.assertTrue(reference in response.getBody())
+    self.assertIn('Logged In', response.getBody())
+    self.assertIn(login, response.getBody())


 class TestLocalRoleManagement(RoleManagementTestCase):
@@ -1363,3 +1361,19 @@ class TestReindexObjectSecurity(UserManagementTestCase):
    check(['immediateReindexObject'] * (len(person) + 1))
    self.tic()

+
+class TestUserCaption(UserManagementTestCase):
+
+  def test_zodb_user(self):
+    self.login()
+    self.assertEqual(self.portal.Base_getUserCaption(), 'ERP5TypeTestCase')
+
+  def test_anonymous_user(self):
+    self.logout()
+    self.assertEqual(self.portal.Base_getUserCaption(), 'Anonymous User')
+
+  def test_erp5_login(self):
+    user_id, login, _ = self._makePerson()
+    self.tic()
+    self.login(user_id)
+    self.assertEqual(self.portal.Base_getUserCaption(), login)