access_token: don't allow RestrictedAccessToken without another login

This keep the current behavior. Invalidating all logins is also a way to disable login for this user without having to find all tokens and invalidate them one by one

access_token: don't allow RestrictedAccessToken without another login
This keep the current behavior. Invalidating all logins is also a way to disable login for this user without having to find all tokens and invalidate them one by one
ee71a4a1 · Jérome Perrin · e8cb8fb8 · ee71a4a1 · ee71a4a1
Commit ee71a4a1 authored Mar 01, 2019 by Jérome Perrin
2 changed files
--- a/bt5/erp5_access_token/SkinTemplateItem/portal_skins/erp5_access_token/RestrictedAccessToken_getUserValue.py
+++ b/bt5/erp5_access_token/SkinTemplateItem/portal_skins/erp5_access_token/RestrictedAccessToken_getUserValue.py
@@ -24,7 +24,8 @@ if access_token_document.getValidationState() == 'validated':
    if agent_document is not None:
      if agent_document.getPortalType() == 'Person':
        # if this is a token for a person, only make accept if person has valid
-        # assignments (for compatibility with login/password authentication)
+        # assignments and a validated login (for compatibility with login/password
+        # authentication)
        if agent_document.getValidationState() == 'deleted':
          return None
        now = DateTime()
@@ -38,6 +39,12 @@ if access_token_document.getValidationState() == 'validated':
        else:
          return None

+        user, = context.getPortalObject().acl_users.searchUsers(
+            exact_match=True,
+            id=agent_document.Person_getUserId())
+        if not user['login_list']:
+          return None
+
      result = agent_document

 return result
--- a/bt5/erp5_access_token/TestTemplateItem/portal_components/test.erp5.testERP5AccessToken.py
+++ b/bt5/erp5_access_token/TestTemplateItem/portal_components/test.erp5.testERP5AccessToken.py
@@ -50,7 +50,8 @@ class AccessTokenTestCase(ERP5TypeTestCase):
      reference='TESTP-' + new_id)
    if password:
      person.setPassword(password)
-    person.newContent(portal_type = 'Assignment').open()
+    person.newContent(portal_type='Assignment').open()
+    person.newContent(portal_type='ERP5 Login', reference=new_id).validate()
    self.tic()
    return person

@@ -159,6 +160,28 @@ class TestERP5AccessTokenSkins(AccessTokenTestCase):
    result = self._getTokenCredential(self.portal.REQUEST)
    self.assertFalse(result)

+  def test_token_without_login(self):
+    # Token does not work when person has no validated login
+    person = self._createPerson(self.new_id)
+    for login in person.contentValues(portal_type='ERP5 Login'):
+      login.invalidate()
+    access_url = "http://exemple.com/foo"
+    access_method = "GET"
+    access_token = self._createRestrictedAccessToken(self.new_id,
+                        person,
+                        access_method,
+                        access_url)
+    access_token.validate()
+    self.tic()
+
+    self.portal.REQUEST.form["access_token"] = access_token.getId()
+    self.portal.REQUEST["REQUEST_METHOD"] = access_method
+    self.portal.REQUEST["ACTUAL_URL"] = access_url
+    self.portal.REQUEST.form["access_token_secret"] = access_token.getReference()
+
+    result = self._getTokenCredential(self.portal.REQUEST)
+    self.assertFalse(result)
+
  def test_RestrictedAccessToken_getUserValue(self):
    person = self._createPerson(self.new_id)
    access_url = "http://exemple.com/foo"