fixup! ERP5Security: Use a dedicated Login document to handle authentication.

4848edce · Kazuhiko Shiozaki · 7ac3444a · 4848edce · 4848edce · 4848edce
Commit 4848edce authored Oct 20, 2016 by Kazuhiko Shiozaki
10 changed files
--- a/bt5/erp5_credential/SkinTemplateItem/portal_skins/erp5_credential/Base_getValidatedLoginReferenceList.py
+++ b/bt5/erp5_credential/SkinTemplateItem/portal_skins/erp5_credential/Base_getValidatedLoginReferenceList.py
+person = context.ERP5Site_getAuthenticatedMemberPersonValue()
+if person is not None:
+  return [login for login in person.objectValues(portal_type='ERP5 Login')]
+else:
+  return []
--- a/bt5/erp5_credential/SkinTemplateItem/portal_skins/erp5_credential/Base_getValidatedLoginReferenceList.xml
+++ b/bt5/erp5_credential/SkinTemplateItem/portal_skins/erp5_credential/Base_getValidatedLoginReferenceList.xml
+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>Script_magic</string> </key>
+            <value> <int>3</int> </value>
+        </item>
+        <item>
+            <key> <string>_bind_names</string> </key>
+            <value>
+              <object>
+                <klass>
+                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
+                </klass>
+                <tuple/>
+                <state>
+                  <dictionary>
+                    <item>
+                        <key> <string>_asgns</string> </key>
+                        <value>
+                          <dictionary>
+                            <item>
+                                <key> <string>name_container</string> </key>
+                                <value> <string>container</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_context</string> </key>
+                                <value> <string>context</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_m_self</string> </key>
+                                <value> <string>script</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_subpath</string> </key>
+                                <value> <string>traverse_subpath</string> </value>
+                            </item>
+                          </dictionary>
+                        </value>
+                    </item>
+                  </dictionary>
+                </state>
+              </object>
+            </value>
+        </item>
+        <item>
+            <key> <string>_params</string> </key>
+            <value> <string></string> </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>Base_getValidatedLoginReferenceList</string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>
--- a/bt5/erp5_credential/SkinTemplateItem/portal_skins/erp5_credential/CredentialRecovery_sendPasswordResetLink.py
+++ b/bt5/erp5_credential/SkinTemplateItem/portal_skins/erp5_credential/CredentialRecovery_sendPasswordResetLink.py
@@ -4,7 +4,7 @@ send the password reset link by mail
 portal = context.getPortalObject()

 person = context.getDestinationDecisionValue(portal_type="Person")
-reference = person.getReference()
+reference = context.getReference()
 if context.hasDocumentReference():
  message_reference = context.getDocumentReference()
 else:
@@ -14,7 +14,7 @@ if message_reference is None:
 notification_message = portal.NotificationTool_getDocumentValue(message_reference,
                                                                context.getLanguage())

-context.REQUEST.set('came_from', context.getUrlString())
+context.REQUEST.set('came_from', portal.absolute_url())

 if context.hasStopDate():
  kw = {'expiration_date':context.getStopDate()}

--- a/bt5/erp5_credential/SkinTemplateItem/portal_skins/erp5_credential/CredentialRecovery_sendUsernameRecoveryMessage.py
+++ b/bt5/erp5_credential/SkinTemplateItem/portal_skins/erp5_credential/CredentialRecovery_sendUsernameRecoveryMessage.py
@@ -4,13 +4,14 @@ send the username mail
 portal = context.getPortalObject()

 person_list = context.getDestinationDecisionValueList(portal_type="Person")
-usernames = []
+login_list = []
 for person in person_list:
-  usernames.append("%s" %person.getReference())
+  for login in person.objectValues(portal_type='ERP5 Login'):
+    if login.getValidationState() == 'validated':
+      login_list.append(login)

-usernames = " ".join(usernames)
+usernames = ' '.join(login.getReference() for login in login_list)

-reference_list = [x.getReference() for x in person_list]
 if context.hasDocumentReference():
  message_reference = context.getDocumentReference()
 else:

--- a/bt5/erp5_credential/SkinTemplateItem/portal_skins/erp5_credential/CredentialRequest_createUser.py
+++ b/bt5/erp5_credential/SkinTemplateItem/portal_skins/erp5_credential/CredentialRequest_createUser.py
@@ -12,26 +12,34 @@ portal = context.getPortalObject()
 portal_preferences = context.portal_preferences
 person = context.getDestinationDecisionValue(portal_type="Person")

+login_list = [x for x in person.objectValues(portal_type='ERP5 Login') \
+              if x.getValidationState() == 'validated']
+if len(login_list):
+  login = login_list[0]
+else:
+  login = person.newContent(portal_type='ERP5 Login')
 # Create user of the person only if not exist
-if person.hasReference() and person.getPassword():
+if person.hasReference() and login.hasPassword():
  return person.getReference(), None

 # Set login
-login = context.getReference()
-if not person.hasReference():
-  if not login:
+reference = context.getReference()
+if not login.hasReference():
+  if not reference:
    raise ValueError, "Impossible to create an account without login"
-  person.setReference(login)
+  login.setReference(reference)
+  if not person.hasReference():
+    person.setReference(reference)
 else:
-  login = person.getReference()
+  reference = person.getReference()

 password = None
-# Set password if no password on the person
-if not person.getPassword():
+# Set password if no password on the Login
+if not login.hasPassword():
  if context.getPassword():
    #User has fill a password
    password = context.getPassword()
-    person.setEncodedPassword(password)
+    login.setEncodedPassword(password)
  else:
    if not portal_preferences.isPreferredSystemGeneratePassword():
      # user will set it trough a credential recovery process
@@ -39,24 +47,27 @@ if not person.getPassword():
      module = portal.getDefaultModule(portal_type='Credential Recovery')
      credential_recovery = module.newContent(
                                     portal_type="Credential Recovery",
-                                     reference=login,
+                                     reference=reference,
                                     destination_decision=person.getRelativeUrl(),
                                     language=portal.Localizer.get_selected_language())
      credential_recovery.submit()
    else:
      # system should generate a password
      password = context.Person_generatePassword(alpha=5, numeric=3)
-      person.setPassword(password)
+      login.setPassword(password)

  # create a global account
  if context.ERP5Site_isSingleSignOnEnable():
    #The master manage encoded password and clear password
    person.Person_createNewGlobalUserAccount(password=password)
    person.Person_validateGlobalUserAccount()
+
+  if login.getValidationState() == 'draft':
+    login.validate()
 else:
  #Person has an already an account
  if context.ERP5Site_isSingleSignOnEnable():
    #Check assignment for the current instance
    person.Person_validateGlobalUserAccount()

-return login, password
+return reference, password
--- a/bt5/erp5_credential/SkinTemplateItem/portal_skins/erp5_credential/Credential_updatePersonPassword.py
+++ b/bt5/erp5_credential/SkinTemplateItem/portal_skins/erp5_credential/Credential_updatePersonPassword.py
@@ -4,5 +4,23 @@ Clear 'erp5_content_short' cache too."""
 person = context.getDestinationDecisionValue(portal_type="Person")

 if context.getPassword():
-  person.setEncodedPassword(context.getPassword())
+  login_list = [login for login in person.objectValues(portal_type='ERP5 Login') \
+                if login.getValidationState() == 'validated']
+  reference = context.getReference()
+  if reference:
+    for login in login_list:
+      if login.getReference() == reference:
+        break
+    else:
+      raise RuntimeError, 'Person %s does not have a validated Login with reference %r' % \
+          (person.getRelativeUrl(), reference)
+  else: # BBB when login reference is not set in Credential Update document.
+    if login_list:
+      login = sorted(login_list,
+                     key=lambda x:x.getReference() == person.getReference(), reverse=True)[0]
+    else:
+      raise RuntimeError, 'Person %s does not have a validated Login with reference %r' % \
+          (person.getRelativeUrl(), reference)
+  login.setEncodedPassword(context.getPassword())
  context.portal_caches.clearCache(('erp5_content_short',))
+  return login.getReference()
--- a/bt5/erp5_credential/SkinTemplateItem/portal_skins/erp5_credential/ERP5Site_newCredentialRecovery.py
+++ b/bt5/erp5_credential/SkinTemplateItem/portal_skins/erp5_credential/ERP5Site_newCredentialRecovery.py
@@ -40,15 +40,18 @@ if default_email_text is not None:
 else:
  # Case for recovery of password
  if person_list is None:
-    person_module = portal.getDefaultModule('Person')
-    result = person_module.searchFolder(reference={'query':reference, 'key':'ExactMatch'})
+    result = portal.portal_catalog(
+      portal_type=("ERP5 Login"),
+      parent_portal_type="Person",
+      reference={'query':reference, 'key':'ExactMatch'},
+      )
    if len(result) != 1:
      portal_status_message = portal.Base_translateString("Can't find corresponding person, it's not possible to recover your credentials.")
      if web_site is not None:
        return web_site.Base_redirect('', keep_items = dict(portal_status_message=portal_status_message ))
      return portal.Base_redirect('', keep_items = dict(portal_status_message=portal_status_message ))

-    person_list = [result[0].getObject(),]
+    person_list = [result[0].getObject().getParentValue(),]

  # Check the response
  person = person_list[0]

--- a/bt5/erp5_credential/SkinTemplateItem/portal_skins/erp5_credential/ERP5Site_newCredentialRequest.py
+++ b/bt5/erp5_credential/SkinTemplateItem/portal_skins/erp5_credential/ERP5Site_newCredentialRequest.py
@@ -45,7 +45,8 @@ credential_request.reindexObject(activate_kw=dict(tag='Person_setReference_%s' %
 if not context.portal_membership.isAnonymousUser():
  person = context.ERP5Site_getAuthenticatedMemberPersonValue()
  destination_decision = []
-  if person.getReference() == reference:
+  if reference in [x.getReference() for x in person.objectValues(portal_type='ERP5 Login')
+                   if x.getValidationState() == 'validated']:
    destination_decision.append(person.getRelativeUrl())
  if person.getDefaultCareerSubordinationTitle() == corporate_name:
    destination_decision.append(person.getDefaultCareerSubordination())

--- a/bt5/erp5_credential/SkinTemplateItem/portal_skins/erp5_credential/ERP5Site_newPersonCredentialUpdate.py
+++ b/bt5/erp5_credential/SkinTemplateItem/portal_skins/erp5_credential/ERP5Site_newPersonCredentialUpdate.py
@@ -9,6 +9,7 @@ else:
  module = portal.getDefaultModule(portal_type='Credential Update')
  credential_update = module.newContent(
    portal_type="Credential Update",
+    reference=reference,
    first_name=first_name,
    last_name=last_name,
    gender=gender,
@@ -44,9 +45,14 @@ else:
  # within same transaction and update client side credentials cookie 
  username = person.getReference()
  if password and username == str(portal.portal_membership.getAuthenticatedMember()):
-    credential_update.accept()
-    portal.cookie_authentication.credentialsChanged(username, username, password)
+    # The password is updated synchronously and the the rest of the credential Update is done later
+    login_reference = credential_update.Credential_updatePersonPassword()
    portal_status_message = "Password changed."
+    context.getPortalObject().cookie_authentication.credentialsChanged(
+      username,
+      login_reference,
+      password,
+      )

 portal_status_message = context.Base_translateString(portal_status_message)
 return portal.Base_redirect(keep_items = {'portal_status_message': portal_status_message})
--- a/product/ERP5/bootstrap/erp5_core/bt/template_action_path_list
+++ b/product/ERP5/bootstrap/erp5_core/bt/template_action_path_list
@@ -23,6 +23,7 @@ Attribute Unicity Constraint | view
 Base Category | view
 Base Domain | view
 Base Type | action_view
+Base Type | jump_property_sheets
 Base Type | role_view
 Base Type | translation_view
 Base Type | update_local_roles
@@ -79,10 +80,12 @@ Id Tool | view
 Memcached Plugin | view
 Memcached Tool | view
 Predicate | view
+Preference Tool Type | jump_property_sheets
 Preference Tool Type | view
 Preference Tool | advanced
 Preference Tool | view
 Preference Type | action_view
+Preference Type | jump_property_sheets
 Preference Type | role_view
 Preference Type | translation_view
 Preference Type | update_local_roles