From 66ee1d935c4093db68e1e5425c705ffa9961fa6e Mon Sep 17 00:00:00 2001
From: Yusei Tahara <yusei@nexedi.com>
Date: Fri, 1 May 2009 08:58:54 +0000
Subject: [PATCH] Add _setPasswordByForce method which does not check
 permission. Add permission check in _setPassword in order to protect changing
 password without security check through edit method.

git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@26768 20353a03-c40f-0410-a6d1-a30d3c3de9de
---
 product/ERP5/Document/Person.py | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/product/ERP5/Document/Person.py b/product/ERP5/Document/Person.py
index 935017495c..6cd37dfb86 100644
--- a/product/ERP5/Document/Person.py
+++ b/product/ERP5/Document/Person.py
@@ -203,18 +203,26 @@ class Person(XMLObject):
       self._setEncodedPassword(value, format=format)
       self.reindexObject()
 
-    def _setPassword(self, value):
+    # Because both _setPassword and setPassword are considered as
+    # public method(They are callable from user directly or through edit method)
+    # _setPasswordByForce is needed to reset password without security check
+    # by Password Tool.
+    def _setPasswordByForce(self, value):
       self.password = PersistentMapping()
       self._setEncodedPassword(pw_encrypt(value))
 
+    def _setPassword(self, value):
+      if not _checkPermission(Permissions.SetOwnPassword, self):
+        raise AccessControl_Unauthorized('setPassword')
+      else:
+        self._setPasswordByForce(value)
+
     security.declarePublic('setPassword')
     def setPassword(self, value) :
       """
         Set the password, only if the password is not empty.
       """
       if value is not None:
-        if not _checkPermission(Permissions.SetOwnPassword, self):
-          raise AccessControl_Unauthorized('setPassword')
         self._setPassword(value)
         self.reindexObject()
 
-- 
2.30.9