From 5ee98e62334f58b2e3240b5d6338e6fe45a442c2 Mon Sep 17 00:00:00 2001
From: Rafael Monnerat <rafael@nexedi.com>
Date: Mon, 12 Feb 2018 19:31:32 +0100
Subject: [PATCH 01/10] erp5_base: Upgrade login to Facebook/Google login when
 applicable.

---
 .../extension.erp5.PersonLoginMigration.py    | 27 +++++++++++++------
 1 file changed, 19 insertions(+), 8 deletions(-)

diff --git a/bt5/erp5_base/ExtensionTemplateItem/portal_components/extension.erp5.PersonLoginMigration.py b/bt5/erp5_base/ExtensionTemplateItem/portal_components/extension.erp5.PersonLoginMigration.py
index 270e6dbf6f1..856f7b3506d 100644
--- a/bt5/erp5_base/ExtensionTemplateItem/portal_components/extension.erp5.PersonLoginMigration.py
+++ b/bt5/erp5_base/ExtensionTemplateItem/portal_components/extension.erp5.PersonLoginMigration.py
@@ -1,21 +1,32 @@
 def migrateToERP5Login(self):
   assert self.getPortalType() == 'Person'
+  login_portal_type = 'ERP5 Login'
   reference = self.getReference()
   if not reference:
     # no user id and no login is required
     return
-  if not self.hasUserId() or self.getUserId() == reference:
+  if not (self.hasUserId() or self.getUserId() == reference):
     self.setUserId(reference)
-  if not self.hasPassword():
-    # no login is required, but possibly another Login type object is required if implemented
-    return
-  if len(self.objectValues(portal_type=self.getPortalObject().getPortalLoginTypeList())):
+
+  if reference.startswith("go_"):
+    login_portal_type = "Google Login"
+    reference = self.getDefaultEmailText()
+  elif reference.startswith("fb_"):
+    login_portal_type = "Facebook Login"
+    reference = reference[len("fb_"):]
+  else:
+    if not self.hasPassword():
+      # no login is required, but possibly another Login type object is required if implemented
+      return
+  if len(self.objectValues(portal_type=login_portal_type)):
     # already migrated
     return
   login = self.newContent(
-    portal_type='ERP5 Login',
+    portal_type=login_portal_type,
     reference=reference,
   )
-  login._setEncodedPassword(self.getPassword())
+  if login_portal_type == "ERP5 Login":
+    login._setEncodedPassword(self.getPassword())
+    self._setEncodedPassword(None)
+
   login.validate()
-  self._setEncodedPassword(None)
-- 
2.30.9


From ce343a373017e56a6aaa25d081fe14861535f96b Mon Sep 17 00:00:00 2001
From: Rafael Monnerat <rafael@nexedi.com>
Date: Tue, 20 Feb 2018 11:18:11 +0000
Subject: [PATCH 02/10] erp5_oauth_facebook_login: Include script to get Person
 from the login

---
 .../ERP5Site_getPersonFromFacebookLogin.py    | 14 ++++
 .../ERP5Site_getPersonFromFacebookLogin.xml   | 70 +++++++++++++++++++
 2 files changed, 84 insertions(+)
 create mode 100644 bt5/erp5_oauth_facebook_login/SkinTemplateItem/portal_skins/erp5_oauth_facebook_login/ERP5Site_getPersonFromFacebookLogin.py
 create mode 100644 bt5/erp5_oauth_facebook_login/SkinTemplateItem/portal_skins/erp5_oauth_facebook_login/ERP5Site_getPersonFromFacebookLogin.xml

diff --git a/bt5/erp5_oauth_facebook_login/SkinTemplateItem/portal_skins/erp5_oauth_facebook_login/ERP5Site_getPersonFromFacebookLogin.py b/bt5/erp5_oauth_facebook_login/SkinTemplateItem/portal_skins/erp5_oauth_facebook_login/ERP5Site_getPersonFromFacebookLogin.py
new file mode 100644
index 00000000000..9377113f987
--- /dev/null
+++ b/bt5/erp5_oauth_facebook_login/SkinTemplateItem/portal_skins/erp5_oauth_facebook_login/ERP5Site_getPersonFromFacebookLogin.py
@@ -0,0 +1,14 @@
+from zExceptions import Unauthorized
+
+if REQUEST is not None:
+  raise Unauthorized
+
+portal_catalog = context.getPortalObject().portal_catalog
+
+login = portal_catalog.getResultValue(
+  portal_type="Facebook Login",
+  reference=login,
+  validation_state="validated")
+
+if login is not None:
+  return login.getParentValue().getRelativeUrl()
diff --git a/bt5/erp5_oauth_facebook_login/SkinTemplateItem/portal_skins/erp5_oauth_facebook_login/ERP5Site_getPersonFromFacebookLogin.xml b/bt5/erp5_oauth_facebook_login/SkinTemplateItem/portal_skins/erp5_oauth_facebook_login/ERP5Site_getPersonFromFacebookLogin.xml
new file mode 100644
index 00000000000..6b19fdcf183
--- /dev/null
+++ b/bt5/erp5_oauth_facebook_login/SkinTemplateItem/portal_skins/erp5_oauth_facebook_login/ERP5Site_getPersonFromFacebookLogin.xml
@@ -0,0 +1,70 @@
+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>Script_magic</string> </key>
+            <value> <int>3</int> </value>
+        </item>
+        <item>
+            <key> <string>_bind_names</string> </key>
+            <value>
+              <object>
+                <klass>
+                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
+                </klass>
+                <tuple/>
+                <state>
+                  <dictionary>
+                    <item>
+                        <key> <string>_asgns</string> </key>
+                        <value>
+                          <dictionary>
+                            <item>
+                                <key> <string>name_container</string> </key>
+                                <value> <string>container</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_context</string> </key>
+                                <value> <string>context</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_m_self</string> </key>
+                                <value> <string>script</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_subpath</string> </key>
+                                <value> <string>traverse_subpath</string> </value>
+                            </item>
+                          </dictionary>
+                        </value>
+                    </item>
+                  </dictionary>
+                </state>
+              </object>
+            </value>
+        </item>
+        <item>
+            <key> <string>_params</string> </key>
+            <value> <string>login, REQUEST=None</string> </value>
+        </item>
+        <item>
+            <key> <string>_proxy_roles</string> </key>
+            <value>
+              <tuple>
+                <string>Manager</string>
+              </tuple>
+            </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>ERP5Site_getPersonFromFacebookLogin</string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>
-- 
2.30.9


From 9f4eb686c3cecbc397f5151625999ad7652c24a0 Mon Sep 17 00:00:00 2001
From: Rafael Monnerat <rafael@nexedi.com>
Date: Tue, 20 Feb 2018 11:18:35 +0000
Subject: [PATCH 03/10] erp5_oauth_google_login: Include script to get Person
 from the login

---
 .../ERP5Site_getPersonFromGoogleLogin.py      | 14 +++++
 .../ERP5Site_getPersonFromGoogleLogin.xml     | 62 +++++++++++++++++++
 2 files changed, 76 insertions(+)
 create mode 100644 bt5/erp5_oauth_google_login/SkinTemplateItem/portal_skins/erp5_oauth_google_login/ERP5Site_getPersonFromGoogleLogin.py
 create mode 100644 bt5/erp5_oauth_google_login/SkinTemplateItem/portal_skins/erp5_oauth_google_login/ERP5Site_getPersonFromGoogleLogin.xml

diff --git a/bt5/erp5_oauth_google_login/SkinTemplateItem/portal_skins/erp5_oauth_google_login/ERP5Site_getPersonFromGoogleLogin.py b/bt5/erp5_oauth_google_login/SkinTemplateItem/portal_skins/erp5_oauth_google_login/ERP5Site_getPersonFromGoogleLogin.py
new file mode 100644
index 00000000000..2b6c75ff77e
--- /dev/null
+++ b/bt5/erp5_oauth_google_login/SkinTemplateItem/portal_skins/erp5_oauth_google_login/ERP5Site_getPersonFromGoogleLogin.py
@@ -0,0 +1,14 @@
+from zExceptions import Unauthorized
+
+if REQUEST is not None:
+  raise Unauthorized
+
+portal_catalog = context.getPortalObject().portal_catalog
+
+login = portal_catalog.getResultValue(
+  portal_type="Google Login",
+  reference=login,
+  validation_state="validated")
+
+if login is not None:
+  return login.getParentValue().getRelativeUrl()
diff --git a/bt5/erp5_oauth_google_login/SkinTemplateItem/portal_skins/erp5_oauth_google_login/ERP5Site_getPersonFromGoogleLogin.xml b/bt5/erp5_oauth_google_login/SkinTemplateItem/portal_skins/erp5_oauth_google_login/ERP5Site_getPersonFromGoogleLogin.xml
new file mode 100644
index 00000000000..0e1b533b5b7
--- /dev/null
+++ b/bt5/erp5_oauth_google_login/SkinTemplateItem/portal_skins/erp5_oauth_google_login/ERP5Site_getPersonFromGoogleLogin.xml
@@ -0,0 +1,62 @@
+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>Script_magic</string> </key>
+            <value> <int>3</int> </value>
+        </item>
+        <item>
+            <key> <string>_bind_names</string> </key>
+            <value>
+              <object>
+                <klass>
+                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
+                </klass>
+                <tuple/>
+                <state>
+                  <dictionary>
+                    <item>
+                        <key> <string>_asgns</string> </key>
+                        <value>
+                          <dictionary>
+                            <item>
+                                <key> <string>name_container</string> </key>
+                                <value> <string>container</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_context</string> </key>
+                                <value> <string>context</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_m_self</string> </key>
+                                <value> <string>script</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_subpath</string> </key>
+                                <value> <string>traverse_subpath</string> </value>
+                            </item>
+                          </dictionary>
+                        </value>
+                    </item>
+                  </dictionary>
+                </state>
+              </object>
+            </value>
+        </item>
+        <item>
+            <key> <string>_params</string> </key>
+            <value> <string>login, REQUEST=None</string> </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>ERP5Site_getPersonFromGoogleLogin</string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>
-- 
2.30.9


From e4170087858765d83cb2f7223132dbc80129c661 Mon Sep 17 00:00:00 2001
From: Rafael Monnerat <rafael@nexedi.com>
Date: Tue, 20 Feb 2018 13:07:08 +0000
Subject: [PATCH 04/10] erp5_oauth_google_login: It is required Manager Proxy
 Role

---
 .../ERP5Site_getPersonFromGoogleLogin.xml                 | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/bt5/erp5_oauth_google_login/SkinTemplateItem/portal_skins/erp5_oauth_google_login/ERP5Site_getPersonFromGoogleLogin.xml b/bt5/erp5_oauth_google_login/SkinTemplateItem/portal_skins/erp5_oauth_google_login/ERP5Site_getPersonFromGoogleLogin.xml
index 0e1b533b5b7..df4e15559ab 100644
--- a/bt5/erp5_oauth_google_login/SkinTemplateItem/portal_skins/erp5_oauth_google_login/ERP5Site_getPersonFromGoogleLogin.xml
+++ b/bt5/erp5_oauth_google_login/SkinTemplateItem/portal_skins/erp5_oauth_google_login/ERP5Site_getPersonFromGoogleLogin.xml
@@ -52,6 +52,14 @@
             <key> <string>_params</string> </key>
             <value> <string>login, REQUEST=None</string> </value>
         </item>
+        <item>
+            <key> <string>_proxy_roles</string> </key>
+            <value>
+              <tuple>
+                <string>Manager</string>
+              </tuple>
+            </value>
+        </item>
         <item>
             <key> <string>id</string> </key>
             <value> <string>ERP5Site_getPersonFromGoogleLogin</string> </value>
-- 
2.30.9


From 396de6b10e88395d7918ea28d313096485a337e7 Mon Sep 17 00:00:00 2001
From: Rafael Monnerat <rafael@nexedi.com>
Date: Thu, 1 Mar 2018 19:26:40 +0000
Subject: [PATCH 05/10] erp5_oauth_facebook_login: Use
 unrestrictedSearchResults to avoid security_uid (Speed up)

When a script with manager proxy role is called from anonymous context, it include a HUGE list of security_uids, use unrestrictedSearchResults skips the unecessary usage of security_uids on catalog.
---
 .../extension.erp5.FacebookLoginUtility.py    |  7 +++++
 .../ERP5Site_getFacebookConnector.xml         | 28 +++++++++++++++++++
 .../FacebookConnector_view.xml                |  2 +-
 3 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 bt5/erp5_oauth_facebook_login/SkinTemplateItem/portal_skins/erp5_oauth_facebook_login/ERP5Site_getFacebookConnector.xml

diff --git a/bt5/erp5_oauth_facebook_login/ExtensionTemplateItem/portal_components/extension.erp5.FacebookLoginUtility.py b/bt5/erp5_oauth_facebook_login/ExtensionTemplateItem/portal_components/extension.erp5.FacebookLoginUtility.py
index 0863cdd92b8..f3c711a8531 100644
--- a/bt5/erp5_oauth_facebook_login/ExtensionTemplateItem/portal_components/extension.erp5.FacebookLoginUtility.py
+++ b/bt5/erp5_oauth_facebook_login/ExtensionTemplateItem/portal_components/extension.erp5.FacebookLoginUtility.py
@@ -37,5 +37,12 @@ def getAccessTokenFromCode(self, code, redirect_uri):
     code=code, redirect_uri=redirect_uri,
     app_id=client_id, app_secret=secret_key)
 
+def unrestrictedSearchFacebookConnector(self):
+  return self.getPortalObject().portal_catalog.unrestrictedSearchResults(
+            portal_type="Facebook Connector",
+            reference="default",
+            validation_state="validated",
+            limit=2)
+
 def getUserEntry(token):
   return getFacebookUserEntry(token)
diff --git a/bt5/erp5_oauth_facebook_login/SkinTemplateItem/portal_skins/erp5_oauth_facebook_login/ERP5Site_getFacebookConnector.xml b/bt5/erp5_oauth_facebook_login/SkinTemplateItem/portal_skins/erp5_oauth_facebook_login/ERP5Site_getFacebookConnector.xml
new file mode 100644
index 00000000000..454a17f820e
--- /dev/null
+++ b/bt5/erp5_oauth_facebook_login/SkinTemplateItem/portal_skins/erp5_oauth_facebook_login/ERP5Site_getFacebookConnector.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="ExternalMethod" module="Products.ExternalMethod.ExternalMethod"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>_function</string> </key>
+            <value> <string>unrestrictedSearchFacebookConnector</string> </value>
+        </item>
+        <item>
+            <key> <string>_module</string> </key>
+            <value> <string>FacebookLoginUtility</string> </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>ERP5Site_getFacebookConnector</string> </value>
+        </item>
+        <item>
+            <key> <string>title</string> </key>
+            <value> <string></string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>
diff --git a/bt5/erp5_oauth_facebook_login/SkinTemplateItem/portal_skins/erp5_oauth_facebook_login/FacebookConnector_view.xml b/bt5/erp5_oauth_facebook_login/SkinTemplateItem/portal_skins/erp5_oauth_facebook_login/FacebookConnector_view.xml
index 9964b5f33aa..987d99b16cc 100644
--- a/bt5/erp5_oauth_facebook_login/SkinTemplateItem/portal_skins/erp5_oauth_facebook_login/FacebookConnector_view.xml
+++ b/bt5/erp5_oauth_facebook_login/SkinTemplateItem/portal_skins/erp5_oauth_facebook_login/FacebookConnector_view.xml
@@ -115,7 +115,7 @@
         </item>
         <item>
             <key> <string>title</string> </key>
-            <value> <string>Faceook Connector</string> </value>
+            <value> <string>Facebook Connector</string> </value>
         </item>
         <item>
             <key> <string>unicode_mode</string> </key>
-- 
2.30.9


From 45db4c4aee5efd8fc288c7a625fb3571f6b493d9 Mon Sep 17 00:00:00 2001
From: Rafael Monnerat <rafael@nexedi.com>
Date: Thu, 1 Mar 2018 19:27:44 +0000
Subject: [PATCH 06/10] erp5_oauth_google_login: Use unrestrictedSearchResults
 to avoid security_uid (Speed up)

When a script with manager proxy role is called from anonymous context, it include a HUGE list of security_uids, use unrestrictedSearchResults skips the unecessary usage of security_uids on catalog.
---
 .../extension.erp5.GoogleLoginUtility.py      |  7 +++++
 .../ERP5Site_getGoogleConnector.xml           | 28 +++++++++++++++++++
 2 files changed, 35 insertions(+)
 create mode 100644 bt5/erp5_oauth_google_login/SkinTemplateItem/portal_skins/erp5_oauth_google_login/ERP5Site_getGoogleConnector.xml

diff --git a/bt5/erp5_oauth_google_login/ExtensionTemplateItem/portal_components/extension.erp5.GoogleLoginUtility.py b/bt5/erp5_oauth_google_login/ExtensionTemplateItem/portal_components/extension.erp5.GoogleLoginUtility.py
index 7b80a0de7b9..4a0124c3e5c 100644
--- a/bt5/erp5_oauth_google_login/ExtensionTemplateItem/portal_components/extension.erp5.GoogleLoginUtility.py
+++ b/bt5/erp5_oauth_google_login/ExtensionTemplateItem/portal_components/extension.erp5.GoogleLoginUtility.py
@@ -49,5 +49,12 @@ def getAccessTokenFromCode(self, code, redirect_uri):
   credential_data = json.loads(credential.to_json())
   return credential_data
 
+def unrestrictedSearchGoogleConnector(self):
+  return self.getPortalObject().portal_catalog.unrestrictedSearchResults(
+            portal_type="Google Connector",
+            reference="default",
+            validation_state="validated",
+            limit=2)
+
 def getUserEntry(access_token):
   return getGoogleUserEntry(access_token)
\ No newline at end of file
diff --git a/bt5/erp5_oauth_google_login/SkinTemplateItem/portal_skins/erp5_oauth_google_login/ERP5Site_getGoogleConnector.xml b/bt5/erp5_oauth_google_login/SkinTemplateItem/portal_skins/erp5_oauth_google_login/ERP5Site_getGoogleConnector.xml
new file mode 100644
index 00000000000..3789ef48c5a
--- /dev/null
+++ b/bt5/erp5_oauth_google_login/SkinTemplateItem/portal_skins/erp5_oauth_google_login/ERP5Site_getGoogleConnector.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="ExternalMethod" module="Products.ExternalMethod.ExternalMethod"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>_function</string> </key>
+            <value> <string>unrestrictedSearchGoogleConnector</string> </value>
+        </item>
+        <item>
+            <key> <string>_module</string> </key>
+            <value> <string>GoogleLoginUtility</string> </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>ERP5Site_getGoogleConnector</string> </value>
+        </item>
+        <item>
+            <key> <string>title</string> </key>
+            <value> <string></string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>
-- 
2.30.9


From e5bc8739ee1250b784d41b06211b84b9c10dbc0d Mon Sep 17 00:00:00 2001
From: Rafael Monnerat <rafael@nexedi.com>
Date: Tue, 6 Mar 2018 03:15:15 +0000
Subject: [PATCH 07/10] erp5_oauth_google_login: Search Login avoiding
 security_uids

This makes exponentially faster, if you have way too many security uids.
---
 .../extension.erp5.GoogleLoginUtility.py      | 11 ++++++++
 .../ERP5Site_getGoogleLogin.xml               | 28 +++++++++++++++++++
 .../ERP5Site_getPersonFromGoogleLogin.py      | 14 +++++-----
 3 files changed, 46 insertions(+), 7 deletions(-)
 create mode 100644 bt5/erp5_oauth_google_login/SkinTemplateItem/portal_skins/erp5_oauth_google_login/ERP5Site_getGoogleLogin.xml

diff --git a/bt5/erp5_oauth_google_login/ExtensionTemplateItem/portal_components/extension.erp5.GoogleLoginUtility.py b/bt5/erp5_oauth_google_login/ExtensionTemplateItem/portal_components/extension.erp5.GoogleLoginUtility.py
index 4a0124c3e5c..3574ef49328 100644
--- a/bt5/erp5_oauth_google_login/ExtensionTemplateItem/portal_components/extension.erp5.GoogleLoginUtility.py
+++ b/bt5/erp5_oauth_google_login/ExtensionTemplateItem/portal_components/extension.erp5.GoogleLoginUtility.py
@@ -1,6 +1,8 @@
 import json
 import oauth2client.client
 from Products.ERP5Security.ERP5ExternalOauth2ExtractionPlugin import getGoogleUserEntry
+from zExceptions import Unauthorized
+
 
 SCOPE_LIST = ['https://www.googleapis.com/auth/userinfo.profile',
               'https://www.googleapis.com/auth/userinfo.email']
@@ -56,5 +58,14 @@ def unrestrictedSearchGoogleConnector(self):
             validation_state="validated",
             limit=2)
 
+def unrestrictedSearchGoogleLogin(self, login, REQUEST=None):
+  if REQUEST is not None:
+    raise Unauthorized
+
+  return self.getPortalObject().portal_catalog.unrestrictedSearchResults(
+    portal_type="Google Login",
+    reference=login,
+    validation_state="validated", limit=1)
+
 def getUserEntry(access_token):
   return getGoogleUserEntry(access_token)
\ No newline at end of file
diff --git a/bt5/erp5_oauth_google_login/SkinTemplateItem/portal_skins/erp5_oauth_google_login/ERP5Site_getGoogleLogin.xml b/bt5/erp5_oauth_google_login/SkinTemplateItem/portal_skins/erp5_oauth_google_login/ERP5Site_getGoogleLogin.xml
new file mode 100644
index 00000000000..e0764678839
--- /dev/null
+++ b/bt5/erp5_oauth_google_login/SkinTemplateItem/portal_skins/erp5_oauth_google_login/ERP5Site_getGoogleLogin.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="ExternalMethod" module="Products.ExternalMethod.ExternalMethod"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>_function</string> </key>
+            <value> <string>unrestrictedSearchGoogleConnector</string> </value>
+        </item>
+        <item>
+            <key> <string>_module</string> </key>
+            <value> <string>GoogleLoginUtility</string> </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>ERP5Site_getGoogleLogin</string> </value>
+        </item>
+        <item>
+            <key> <string>title</string> </key>
+            <value> <string></string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>
diff --git a/bt5/erp5_oauth_google_login/SkinTemplateItem/portal_skins/erp5_oauth_google_login/ERP5Site_getPersonFromGoogleLogin.py b/bt5/erp5_oauth_google_login/SkinTemplateItem/portal_skins/erp5_oauth_google_login/ERP5Site_getPersonFromGoogleLogin.py
index 2b6c75ff77e..a157badc1b6 100644
--- a/bt5/erp5_oauth_google_login/SkinTemplateItem/portal_skins/erp5_oauth_google_login/ERP5Site_getPersonFromGoogleLogin.py
+++ b/bt5/erp5_oauth_google_login/SkinTemplateItem/portal_skins/erp5_oauth_google_login/ERP5Site_getPersonFromGoogleLogin.py
@@ -3,12 +3,12 @@ from zExceptions import Unauthorized
 if REQUEST is not None:
   raise Unauthorized
 
-portal_catalog = context.getPortalObject().portal_catalog
+login = context.ERP5Site_getGoogleLogin(login)
 
-login = portal_catalog.getResultValue(
-  portal_type="Google Login",
-  reference=login,
-  validation_state="validated")
+if login is None:
+  return login
 
-if login is not None:
-  return login.getParentValue().getRelativeUrl()
+if len(login) > 1:
+  raise ValueError("Duplicated User")
+
+return login[0].getParentValue().getRelativeUrl()
-- 
2.30.9


From 409d2691d502ee4ddc470655000e63ad024c47c7 Mon Sep 17 00:00:00 2001
From: Rafael Monnerat <rafael@nexedi.com>
Date: Tue, 6 Mar 2018 03:16:19 +0000
Subject: [PATCH 08/10] erp5_oauth_facebook_login: Search Login avoiding
 security_uids

This makes exponentially faster, if you have way too many security uids.
---
 .../extension.erp5.FacebookLoginUtility.py    | 10 +++++++
 .../ERP5Site_getFacebookLogin.xml             | 28 +++++++++++++++++++
 .../ERP5Site_getPersonFromFacebookLogin.py    | 14 +++++-----
 3 files changed, 45 insertions(+), 7 deletions(-)
 create mode 100644 bt5/erp5_oauth_facebook_login/SkinTemplateItem/portal_skins/erp5_oauth_facebook_login/ERP5Site_getFacebookLogin.xml

diff --git a/bt5/erp5_oauth_facebook_login/ExtensionTemplateItem/portal_components/extension.erp5.FacebookLoginUtility.py b/bt5/erp5_oauth_facebook_login/ExtensionTemplateItem/portal_components/extension.erp5.FacebookLoginUtility.py
index f3c711a8531..165273cd315 100644
--- a/bt5/erp5_oauth_facebook_login/ExtensionTemplateItem/portal_components/extension.erp5.FacebookLoginUtility.py
+++ b/bt5/erp5_oauth_facebook_login/ExtensionTemplateItem/portal_components/extension.erp5.FacebookLoginUtility.py
@@ -2,6 +2,7 @@ import facebook
 from ZTUtils import make_query
 
 from Products.ERP5Security.ERP5ExternalOauth2ExtractionPlugin import getFacebookUserEntry
+from zExceptions import Unauthorized
 
 def _getFacebookClientIdAndSecretKey(portal, reference="default"):
   """Returns facebook client id and secret key.
@@ -44,5 +45,14 @@ def unrestrictedSearchFacebookConnector(self):
             validation_state="validated",
             limit=2)
 
+def unrestrictedSearchFacebookLogin(self, login, REQUEST=None):
+  if REQUEST is not None:
+    raise Unauthorized
+
+  return self.getPortalObject().portal_catalog.unrestrictedSearchResults(
+    portal_type="Facebook Login",
+    reference=login,
+    validation_state="validated", limit=1)
+
 def getUserEntry(token):
   return getFacebookUserEntry(token)
diff --git a/bt5/erp5_oauth_facebook_login/SkinTemplateItem/portal_skins/erp5_oauth_facebook_login/ERP5Site_getFacebookLogin.xml b/bt5/erp5_oauth_facebook_login/SkinTemplateItem/portal_skins/erp5_oauth_facebook_login/ERP5Site_getFacebookLogin.xml
new file mode 100644
index 00000000000..ea0d8cf8acb
--- /dev/null
+++ b/bt5/erp5_oauth_facebook_login/SkinTemplateItem/portal_skins/erp5_oauth_facebook_login/ERP5Site_getFacebookLogin.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="ExternalMethod" module="Products.ExternalMethod.ExternalMethod"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>_function</string> </key>
+            <value> <string>unrestrictedSearchFacebookLogin</string> </value>
+        </item>
+        <item>
+            <key> <string>_module</string> </key>
+            <value> <string>FacebookLoginUtility</string> </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>ERP5Site_getFacebookLogin</string> </value>
+        </item>
+        <item>
+            <key> <string>title</string> </key>
+            <value> <string></string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>
diff --git a/bt5/erp5_oauth_facebook_login/SkinTemplateItem/portal_skins/erp5_oauth_facebook_login/ERP5Site_getPersonFromFacebookLogin.py b/bt5/erp5_oauth_facebook_login/SkinTemplateItem/portal_skins/erp5_oauth_facebook_login/ERP5Site_getPersonFromFacebookLogin.py
index 9377113f987..8d8132b800b 100644
--- a/bt5/erp5_oauth_facebook_login/SkinTemplateItem/portal_skins/erp5_oauth_facebook_login/ERP5Site_getPersonFromFacebookLogin.py
+++ b/bt5/erp5_oauth_facebook_login/SkinTemplateItem/portal_skins/erp5_oauth_facebook_login/ERP5Site_getPersonFromFacebookLogin.py
@@ -3,12 +3,12 @@ from zExceptions import Unauthorized
 if REQUEST is not None:
   raise Unauthorized
 
-portal_catalog = context.getPortalObject().portal_catalog
+login = context.ERP5Site_getFacebookLogin(login)
 
-login = portal_catalog.getResultValue(
-  portal_type="Facebook Login",
-  reference=login,
-  validation_state="validated")
+if login is None:
+  return login
 
-if login is not None:
-  return login.getParentValue().getRelativeUrl()
+if len(login) > 1:
+  raise ValueError("Duplicated User")
+
+return login[0].getParentValue().getRelativeUrl()
-- 
2.30.9


From 5983498171547edfa191b2f77557ec9c3507b28c Mon Sep 17 00:00:00 2001
From: Rafael Monnerat <rafael@nexedi.com>
Date: Fri, 14 Sep 2018 17:20:29 +0200
Subject: [PATCH 09/10] ERP5Security: Allow user to login with a user created
 on the same transaction

This allow during a subscription process, create a user and them create all
documents using that user w/o rely on proxy roles (keeping good ownership
across the documents).
---
 product/ERP5Security/ERP5LoginUserManager.py | 27 ++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/product/ERP5Security/ERP5LoginUserManager.py b/product/ERP5Security/ERP5LoginUserManager.py
index 2e00d8bddda..054507252dd 100644
--- a/product/ERP5Security/ERP5LoginUserManager.py
+++ b/product/ERP5Security/ERP5LoginUserManager.py
@@ -34,6 +34,7 @@ from Products.PluggableAuthService.plugins.BasePlugin import BasePlugin
 from Products.PluggableAuthService.utils import classImplements
 from Products.PluggableAuthService.interfaces.plugins import IAuthenticationPlugin
 from Products.PluggableAuthService.interfaces.plugins import IUserEnumerationPlugin
+from Products.ERP5Type.TransactionalVariable import getTransactionalVariable
 from DateTime import DateTime
 from Products import ERP5Security
 from AccessControl import SpecialUsers
@@ -274,6 +275,32 @@ class ERP5LoginUserManager(BasePlugin):
       }
       for user in user_list if user['user_id']
     ]
+    
+    tv = getTransactionalVariable()
+    person = tv.get("transactional_user", None) 
+    if person is not None:
+      erp5_login = person.objectValues("ERP5 Login")[0]
+      if (login is not None and erp5_login.getReference() == None) or \
+           (id is not None and person.getUserId() == id[0]):
+        result.append({
+          'id': person.getUserId(),
+          # Note: PAS forbids us from returning more than one entry per given id,
+          # so take any available login.
+          'login': erp5_login.getReference(), 
+          'pluginid': plugin_id,
+
+          # Extra properties, specific to ERP5
+          'path': person.getPath(),
+          'uid': person.getUid(),
+          'login_list': [
+            {
+              'reference': erp5_login.getReference(),
+              'path': erp5_login.getRelativeUrl(),
+              'uid': erp5_login.getPath(),
+            }
+          ],
+        })
+
     for special_user_name in special_user_name_set:
       # Note: special users are a bastard design in Zope: they are expected to
       # have a user name (aka, a login), but no id (aka, they do not exist as
-- 
2.30.9


From 319a1b055591bd131073450be19928de1693c336 Mon Sep 17 00:00:00 2001
From: Rafael Monnerat <rafael@nexedi.com>
Date: Wed, 19 Sep 2018 12:13:51 +0200
Subject: [PATCH 10/10] ERP5Security: GoogleLogin some properties don't always
 come

---
 product/ERP5Security/ERP5ExternalOauth2ExtractionPlugin.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/product/ERP5Security/ERP5ExternalOauth2ExtractionPlugin.py b/product/ERP5Security/ERP5ExternalOauth2ExtractionPlugin.py
index bbc36070430..5b08f1158eb 100644
--- a/product/ERP5Security/ERP5ExternalOauth2ExtractionPlugin.py
+++ b/product/ERP5Security/ERP5ExternalOauth2ExtractionPlugin.py
@@ -82,7 +82,7 @@ def getGoogleUserEntry(token):
         ('last_name', 'family_name'),
         ('email', 'email'),
         ('reference', 'email'),):
-      value = google_entry[k[1]].encode('utf-8')
+      value = google_entry.get(k[1], '').encode('utf-8')
       user_entry[k[0]] = value
   return user_entry
 
-- 
2.30.9