fixup! ERP5Security: Use a dedicated Login document to handle authentication.

bt5/erp5_credential/SkinTemplateItem/portal_skins/erp5_credential/Base_getValidatedLoginReferenceList.py

+person = context.ERP5Site_getAuthenticatedMemberPersonValue()
+if person is not None:
+  return [login for login in person.objectValues(portal_type='ERP5 Login')]
+else:
+  return []

bt5/erp5_credential/SkinTemplateItem/portal_skins/erp5_credential/Base_getValidatedLoginReferenceList.xml

+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>Script_magic</string> </key>
+            <value> <int>3</int> </value>
+        </item>
+        <item>
+            <key> <string>_bind_names</string> </key>
+            <value>
+              <object>
+                <klass>
+                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
+                </klass>
+                <tuple/>
+                <state>
+                  <dictionary>
+                    <item>
+                        <key> <string>_asgns</string> </key>
+                        <value>
+                          <dictionary>
+                            <item>
+                                <key> <string>name_container</string> </key>
+                                <value> <string>container</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_context</string> </key>
+                                <value> <string>context</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_m_self</string> </key>
+                                <value> <string>script</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_subpath</string> </key>
+                                <value> <string>traverse_subpath</string> </value>
+                            </item>
+                          </dictionary>
+                        </value>
+                    </item>
+                  </dictionary>
+                </state>
+              </object>
+            </value>
+        </item>
+        <item>
+            <key> <string>_params</string> </key>
+            <value> <string></string> </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>Base_getValidatedLoginReferenceList</string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>

bt5/erp5_credential/SkinTemplateItem/portal_skins/erp5_credential/CredentialRecovery_sendPasswordResetLink.py

@@ -4,7 +4,7 @@ send the password reset link by mail
 portal = context.getPortalObject()
 
 person = context.getDestinationDecisionValue(portal_type="Person")
-reference = person.getReference()
+reference = context.getReference()
 if context.hasDocumentReference():
   message_reference = context.getDocumentReference()
 else:
@@ -14,7 +14,7 @@ if message_reference is None:
 notification_message = portal.NotificationTool_getDocumentValue(message_reference,
                                                                 context.getLanguage())
 
-context.REQUEST.set('came_from', context.getUrlString())
+context.REQUEST.set('came_from', portal.absolute_url())
 
 if context.hasStopDate():
   kw = {'expiration_date':context.getStopDate()}

bt5/erp5_credential/SkinTemplateItem/portal_skins/erp5_credential/CredentialRecovery_sendUsernameRecoveryMessage.py

@@ -4,13 +4,14 @@ send the username mail
 portal = context.getPortalObject()
 
 person_list = context.getDestinationDecisionValueList(portal_type="Person")
-usernames = []
+login_list = []
 for person in person_list:
-  usernames.append("%s" %person.getReference())
+  for login in person.objectValues(portal_type='ERP5 Login'):
+    if login.getValidationState() == 'validated':
+      login_list.append(login)
 
-usernames = " ".join(usernames)
+usernames = ' '.join(login.getReference() for login in login_list)
 
-reference_list = [x.getReference() for x in person_list]
 if context.hasDocumentReference():
   message_reference = context.getDocumentReference()
 else:

bt5/erp5_credential/SkinTemplateItem/portal_skins/erp5_credential/CredentialRequest_createUser.py

@@ -12,26 +12,34 @@ portal = context.getPortalObject()
 portal_preferences = context.portal_preferences
 person = context.getDestinationDecisionValue(portal_type="Person")
 
+login_list = [x for x in person.objectValues(portal_type='ERP5 Login') \
+              if x.getValidationState() == 'validated']
+if len(login_list):
+  login = login_list[0]
+else:
+  login = person.newContent(portal_type='ERP5 Login')
 # Create user of the person only if not exist
-if person.hasReference() and person.getPassword():
+if person.hasReference() and login.hasPassword():
   return person.getReference(), None
 
 # Set login
-login = context.getReference()
-if not person.hasReference():
-  if not login:
+reference = context.getReference()
+if not login.hasReference():
+  if not reference:
     raise ValueError, "Impossible to create an account without login"
-  person.setReference(login)
+  login.setReference(reference)
+  if not person.hasReference():
+    person.setReference(reference)
 else:
-  login = person.getReference()
+  reference = person.getReference()
 
 password = None
-# Set password if no password on the person
-if not person.getPassword():
+# Set password if no password on the Login
+if not login.hasPassword():
   if context.getPassword():
     #User has fill a password
     password = context.getPassword()
-    person.setEncodedPassword(password)
+    login.setEncodedPassword(password)
   else:
     if not portal_preferences.isPreferredSystemGeneratePassword():
       # user will set it trough a credential recovery process
@@ -39,24 +47,27 @@ if not person.getPassword():
       module = portal.getDefaultModule(portal_type='Credential Recovery')
       credential_recovery = module.newContent(
                                      portal_type="Credential Recovery",
-                                     reference=login,
+                                     reference=reference,
                                      destination_decision=person.getRelativeUrl(),
                                      language=portal.Localizer.get_selected_language())
       credential_recovery.submit()
     else:
       # system should generate a password
       password = context.Person_generatePassword(alpha=5, numeric=3)
-      person.setPassword(password)
+      login.setPassword(password)
 
   # create a global account
   if context.ERP5Site_isSingleSignOnEnable():
     #The master manage encoded password and clear password
     person.Person_createNewGlobalUserAccount(password=password)
     person.Person_validateGlobalUserAccount()
+
+  if login.getValidationState() == 'draft':
+    login.validate()
 else:
   #Person has an already an account
   if context.ERP5Site_isSingleSignOnEnable():
     #Check assignment for the current instance
     person.Person_validateGlobalUserAccount()
 
-return login, password
+return reference, password

bt5/erp5_credential/SkinTemplateItem/portal_skins/erp5_credential/Credential_updatePersonPassword.py

@@ -4,5 +4,23 @@ Clear 'erp5_content_short' cache too."""
 person = context.getDestinationDecisionValue(portal_type="Person")
 
 if context.getPassword():
-  person.setEncodedPassword(context.getPassword())
+  login_list = [login for login in person.objectValues(portal_type='ERP5 Login') \
+                if login.getValidationState() == 'validated']
+  reference = context.getReference()
+  if reference:
+    for login in login_list:
+      if login.getReference() == reference:
+        break
+    else:
+      raise RuntimeError, 'Person %s does not have a validated Login with reference %r' % \
+          (person.getRelativeUrl(), reference)
+  else: # BBB when login reference is not set in Credential Update document.
+    if login_list:
+      login = sorted(login_list,
+                     key=lambda x:x.getReference() == person.getReference(), reverse=True)[0]
+    else:
+      raise RuntimeError, 'Person %s does not have a validated Login with reference %r' % \
+          (person.getRelativeUrl(), reference)
+  login.setEncodedPassword(context.getPassword())
   context.portal_caches.clearCache(('erp5_content_short',))
+  return login.getReference()

bt5/erp5_credential/SkinTemplateItem/portal_skins/erp5_credential/ERP5Site_newCredentialRecovery.py

@@ -40,15 +40,18 @@ if default_email_text is not None:
 else:
   # Case for recovery of password
   if person_list is None:
-    person_module = portal.getDefaultModule('Person')
-    result = person_module.searchFolder(reference={'query':reference, 'key':'ExactMatch'})
+    result = portal.portal_catalog(
+      portal_type=("ERP5 Login"),
+      parent_portal_type="Person",
+      reference={'query':reference, 'key':'ExactMatch'},
+      )
     if len(result) != 1:
       portal_status_message = portal.Base_translateString("Can't find corresponding person, it's not possible to recover your credentials.")
       if web_site is not None:
         return web_site.Base_redirect('', keep_items = dict(portal_status_message=portal_status_message ))
       return portal.Base_redirect('', keep_items = dict(portal_status_message=portal_status_message ))
 
-    person_list = [result[0].getObject(),]
+    person_list = [result[0].getObject().getParentValue(),]
 
   # Check the response
   person = person_list[0]

bt5/erp5_credential/SkinTemplateItem/portal_skins/erp5_credential/ERP5Site_newCredentialRequest.py

@@ -45,7 +45,8 @@ credential_request.reindexObject(activate_kw=dict(tag='Person_setReference_%s' %
 if not context.portal_membership.isAnonymousUser():
   person = context.ERP5Site_getAuthenticatedMemberPersonValue()
   destination_decision = []
-  if person.getReference() == reference:
+  if reference in [x.getReference() for x in person.objectValues(portal_type='ERP5 Login')
+                   if x.getValidationState() == 'validated']:
     destination_decision.append(person.getRelativeUrl())
   if person.getDefaultCareerSubordinationTitle() == corporate_name:
     destination_decision.append(person.getDefaultCareerSubordination())

bt5/erp5_credential/SkinTemplateItem/portal_skins/erp5_credential/ERP5Site_newPersonCredentialUpdate.py

@@ -9,6 +9,7 @@ else:
   module = portal.getDefaultModule(portal_type='Credential Update')
   credential_update = module.newContent(
     portal_type="Credential Update",
+    reference=reference,
     first_name=first_name,
     last_name=last_name,
     gender=gender,
@@ -44,9 +45,14 @@ else:
   # within same transaction and update client side credentials cookie 
   username = person.getReference()
   if password and username == str(portal.portal_membership.getAuthenticatedMember()):
-    credential_update.accept()
-    portal.cookie_authentication.credentialsChanged(username, username, password)
+    # The password is updated synchronously and the the rest of the credential Update is done later
+    login_reference = credential_update.Credential_updatePersonPassword()
     portal_status_message = "Password changed."
+    context.getPortalObject().cookie_authentication.credentialsChanged(
+      username,
+      login_reference,
+      password,
+      )
 
 portal_status_message = context.Base_translateString(portal_status_message)
 return portal.Base_redirect(keep_items = {'portal_status_message': portal_status_message})

product/ERP5/bootstrap/erp5_core/bt/template_action_path_list

@@ -23,6 +23,7 @@ Attribute Unicity Constraint | view
 Base Category | view
 Base Domain | view
 Base Type | action_view
+Base Type | jump_property_sheets
 Base Type | role_view
 Base Type | translation_view
 Base Type | update_local_roles
@@ -79,10 +80,12 @@ Id Tool | view
 Memcached Plugin | view
 Memcached Tool | view
 Predicate | view
+Preference Tool Type | jump_property_sheets
 Preference Tool Type | view
 Preference Tool | advanced
 Preference Tool | view
 Preference Type | action_view
+Preference Type | jump_property_sheets
 Preference Type | role_view
 Preference Type | translation_view
 Preference Type | update_local_roles