Commit ee71a4a1 by Jérome Perrin

access_token: don't allow RestrictedAccessToken without another login

This keep the current behavior. Invalidating all logins is also a way to
disable login for this user without having to find all tokens and
invalidate them one by one
1 parent e8cb8fb8
......@@ -24,7 +24,8 @@ if access_token_document.getValidationState() == 'validated':
if agent_document is not None:
if agent_document.getPortalType() == 'Person':
# if this is a token for a person, only make accept if person has valid
# assignments (for compatibility with login/password authentication)
# assignments and a validated login (for compatibility with login/password
# authentication)
if agent_document.getValidationState() == 'deleted':
return None
now = DateTime()
......@@ -38,6 +39,12 @@ if access_token_document.getValidationState() == 'validated':
else:
return None
user, = context.getPortalObject().acl_users.searchUsers(
exact_match=True,
id=agent_document.Person_getUserId())
if not user['login_list']:
return None
result = agent_document
return result
......@@ -50,7 +50,8 @@ class AccessTokenTestCase(ERP5TypeTestCase):
reference='TESTP-' + new_id)
if password:
person.setPassword(password)
person.newContent(portal_type = 'Assignment').open()
person.newContent(portal_type='Assignment').open()
person.newContent(portal_type='ERP5 Login', reference=new_id).validate()
self.tic()
return person
......@@ -159,6 +160,28 @@ class TestERP5AccessTokenSkins(AccessTokenTestCase):
result = self._getTokenCredential(self.portal.REQUEST)
self.assertFalse(result)
def test_token_without_login(self):
# Token does not work when person has no validated login
person = self._createPerson(self.new_id)
for login in person.contentValues(portal_type='ERP5 Login'):
login.invalidate()
access_url = "http://exemple.com/foo"
access_method = "GET"
access_token = self._createRestrictedAccessToken(self.new_id,
person,
access_method,
access_url)
access_token.validate()
self.tic()
self.portal.REQUEST.form["access_token"] = access_token.getId()
self.portal.REQUEST["REQUEST_METHOD"] = access_method
self.portal.REQUEST["ACTUAL_URL"] = access_url
self.portal.REQUEST.form["access_token_secret"] = access_token.getReference()
result = self._getTokenCredential(self.portal.REQUEST)
self.assertFalse(result)
def test_RestrictedAccessToken_getUserValue(self):
person = self._createPerson(self.new_id)
access_url = "http://exemple.com/foo"
......
Styling with Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!