Commit 4848edce authored by Kazuhiko Shiozaki's avatar Kazuhiko Shiozaki

fixup! ERP5Security: Use a dedicated Login document to handle authentication.

parent 7ac3444a
person = context.ERP5Site_getAuthenticatedMemberPersonValue()
if person is not None:
return [login for login in person.objectValues(portal_type='ERP5 Login')]
else:
return []
<?xml version="1.0"?>
<ZopeData>
<record id="1" aka="AAAAAAAAAAE=">
<pickle>
<global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>Script_magic</string> </key>
<value> <int>3</int> </value>
</item>
<item>
<key> <string>_bind_names</string> </key>
<value>
<object>
<klass>
<global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
</klass>
<tuple/>
<state>
<dictionary>
<item>
<key> <string>_asgns</string> </key>
<value>
<dictionary>
<item>
<key> <string>name_container</string> </key>
<value> <string>container</string> </value>
</item>
<item>
<key> <string>name_context</string> </key>
<value> <string>context</string> </value>
</item>
<item>
<key> <string>name_m_self</string> </key>
<value> <string>script</string> </value>
</item>
<item>
<key> <string>name_subpath</string> </key>
<value> <string>traverse_subpath</string> </value>
</item>
</dictionary>
</value>
</item>
</dictionary>
</state>
</object>
</value>
</item>
<item>
<key> <string>_params</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>id</string> </key>
<value> <string>Base_getValidatedLoginReferenceList</string> </value>
</item>
</dictionary>
</pickle>
</record>
</ZopeData>
...@@ -4,7 +4,7 @@ send the password reset link by mail ...@@ -4,7 +4,7 @@ send the password reset link by mail
portal = context.getPortalObject() portal = context.getPortalObject()
person = context.getDestinationDecisionValue(portal_type="Person") person = context.getDestinationDecisionValue(portal_type="Person")
reference = person.getReference() reference = context.getReference()
if context.hasDocumentReference(): if context.hasDocumentReference():
message_reference = context.getDocumentReference() message_reference = context.getDocumentReference()
else: else:
...@@ -14,7 +14,7 @@ if message_reference is None: ...@@ -14,7 +14,7 @@ if message_reference is None:
notification_message = portal.NotificationTool_getDocumentValue(message_reference, notification_message = portal.NotificationTool_getDocumentValue(message_reference,
context.getLanguage()) context.getLanguage())
context.REQUEST.set('came_from', context.getUrlString()) context.REQUEST.set('came_from', portal.absolute_url())
if context.hasStopDate(): if context.hasStopDate():
kw = {'expiration_date':context.getStopDate()} kw = {'expiration_date':context.getStopDate()}
......
...@@ -4,13 +4,14 @@ send the username mail ...@@ -4,13 +4,14 @@ send the username mail
portal = context.getPortalObject() portal = context.getPortalObject()
person_list = context.getDestinationDecisionValueList(portal_type="Person") person_list = context.getDestinationDecisionValueList(portal_type="Person")
usernames = [] login_list = []
for person in person_list: for person in person_list:
usernames.append("%s" %person.getReference()) for login in person.objectValues(portal_type='ERP5 Login'):
if login.getValidationState() == 'validated':
login_list.append(login)
usernames = " ".join(usernames) usernames = ' '.join(login.getReference() for login in login_list)
reference_list = [x.getReference() for x in person_list]
if context.hasDocumentReference(): if context.hasDocumentReference():
message_reference = context.getDocumentReference() message_reference = context.getDocumentReference()
else: else:
......
...@@ -12,26 +12,34 @@ portal = context.getPortalObject() ...@@ -12,26 +12,34 @@ portal = context.getPortalObject()
portal_preferences = context.portal_preferences portal_preferences = context.portal_preferences
person = context.getDestinationDecisionValue(portal_type="Person") person = context.getDestinationDecisionValue(portal_type="Person")
login_list = [x for x in person.objectValues(portal_type='ERP5 Login') \
if x.getValidationState() == 'validated']
if len(login_list):
login = login_list[0]
else:
login = person.newContent(portal_type='ERP5 Login')
# Create user of the person only if not exist # Create user of the person only if not exist
if person.hasReference() and person.getPassword(): if person.hasReference() and login.hasPassword():
return person.getReference(), None return person.getReference(), None
# Set login # Set login
login = context.getReference() reference = context.getReference()
if not person.hasReference(): if not login.hasReference():
if not login: if not reference:
raise ValueError, "Impossible to create an account without login" raise ValueError, "Impossible to create an account without login"
person.setReference(login) login.setReference(reference)
if not person.hasReference():
person.setReference(reference)
else: else:
login = person.getReference() reference = person.getReference()
password = None password = None
# Set password if no password on the person # Set password if no password on the Login
if not person.getPassword(): if not login.hasPassword():
if context.getPassword(): if context.getPassword():
#User has fill a password #User has fill a password
password = context.getPassword() password = context.getPassword()
person.setEncodedPassword(password) login.setEncodedPassword(password)
else: else:
if not portal_preferences.isPreferredSystemGeneratePassword(): if not portal_preferences.isPreferredSystemGeneratePassword():
# user will set it trough a credential recovery process # user will set it trough a credential recovery process
...@@ -39,24 +47,27 @@ if not person.getPassword(): ...@@ -39,24 +47,27 @@ if not person.getPassword():
module = portal.getDefaultModule(portal_type='Credential Recovery') module = portal.getDefaultModule(portal_type='Credential Recovery')
credential_recovery = module.newContent( credential_recovery = module.newContent(
portal_type="Credential Recovery", portal_type="Credential Recovery",
reference=login, reference=reference,
destination_decision=person.getRelativeUrl(), destination_decision=person.getRelativeUrl(),
language=portal.Localizer.get_selected_language()) language=portal.Localizer.get_selected_language())
credential_recovery.submit() credential_recovery.submit()
else: else:
# system should generate a password # system should generate a password
password = context.Person_generatePassword(alpha=5, numeric=3) password = context.Person_generatePassword(alpha=5, numeric=3)
person.setPassword(password) login.setPassword(password)
# create a global account # create a global account
if context.ERP5Site_isSingleSignOnEnable(): if context.ERP5Site_isSingleSignOnEnable():
#The master manage encoded password and clear password #The master manage encoded password and clear password
person.Person_createNewGlobalUserAccount(password=password) person.Person_createNewGlobalUserAccount(password=password)
person.Person_validateGlobalUserAccount() person.Person_validateGlobalUserAccount()
if login.getValidationState() == 'draft':
login.validate()
else: else:
#Person has an already an account #Person has an already an account
if context.ERP5Site_isSingleSignOnEnable(): if context.ERP5Site_isSingleSignOnEnable():
#Check assignment for the current instance #Check assignment for the current instance
person.Person_validateGlobalUserAccount() person.Person_validateGlobalUserAccount()
return login, password return reference, password
...@@ -4,5 +4,23 @@ Clear 'erp5_content_short' cache too.""" ...@@ -4,5 +4,23 @@ Clear 'erp5_content_short' cache too."""
person = context.getDestinationDecisionValue(portal_type="Person") person = context.getDestinationDecisionValue(portal_type="Person")
if context.getPassword(): if context.getPassword():
person.setEncodedPassword(context.getPassword()) login_list = [login for login in person.objectValues(portal_type='ERP5 Login') \
if login.getValidationState() == 'validated']
reference = context.getReference()
if reference:
for login in login_list:
if login.getReference() == reference:
break
else:
raise RuntimeError, 'Person %s does not have a validated Login with reference %r' % \
(person.getRelativeUrl(), reference)
else: # BBB when login reference is not set in Credential Update document.
if login_list:
login = sorted(login_list,
key=lambda x:x.getReference() == person.getReference(), reverse=True)[0]
else:
raise RuntimeError, 'Person %s does not have a validated Login with reference %r' % \
(person.getRelativeUrl(), reference)
login.setEncodedPassword(context.getPassword())
context.portal_caches.clearCache(('erp5_content_short',)) context.portal_caches.clearCache(('erp5_content_short',))
return login.getReference()
...@@ -40,15 +40,18 @@ if default_email_text is not None: ...@@ -40,15 +40,18 @@ if default_email_text is not None:
else: else:
# Case for recovery of password # Case for recovery of password
if person_list is None: if person_list is None:
person_module = portal.getDefaultModule('Person') result = portal.portal_catalog(
result = person_module.searchFolder(reference={'query':reference, 'key':'ExactMatch'}) portal_type=("ERP5 Login"),
parent_portal_type="Person",
reference={'query':reference, 'key':'ExactMatch'},
)
if len(result) != 1: if len(result) != 1:
portal_status_message = portal.Base_translateString("Can't find corresponding person, it's not possible to recover your credentials.") portal_status_message = portal.Base_translateString("Can't find corresponding person, it's not possible to recover your credentials.")
if web_site is not None: if web_site is not None:
return web_site.Base_redirect('', keep_items = dict(portal_status_message=portal_status_message )) return web_site.Base_redirect('', keep_items = dict(portal_status_message=portal_status_message ))
return portal.Base_redirect('', keep_items = dict(portal_status_message=portal_status_message )) return portal.Base_redirect('', keep_items = dict(portal_status_message=portal_status_message ))
person_list = [result[0].getObject(),] person_list = [result[0].getObject().getParentValue(),]
# Check the response # Check the response
person = person_list[0] person = person_list[0]
......
...@@ -45,7 +45,8 @@ credential_request.reindexObject(activate_kw=dict(tag='Person_setReference_%s' % ...@@ -45,7 +45,8 @@ credential_request.reindexObject(activate_kw=dict(tag='Person_setReference_%s' %
if not context.portal_membership.isAnonymousUser(): if not context.portal_membership.isAnonymousUser():
person = context.ERP5Site_getAuthenticatedMemberPersonValue() person = context.ERP5Site_getAuthenticatedMemberPersonValue()
destination_decision = [] destination_decision = []
if person.getReference() == reference: if reference in [x.getReference() for x in person.objectValues(portal_type='ERP5 Login')
if x.getValidationState() == 'validated']:
destination_decision.append(person.getRelativeUrl()) destination_decision.append(person.getRelativeUrl())
if person.getDefaultCareerSubordinationTitle() == corporate_name: if person.getDefaultCareerSubordinationTitle() == corporate_name:
destination_decision.append(person.getDefaultCareerSubordination()) destination_decision.append(person.getDefaultCareerSubordination())
......
...@@ -9,6 +9,7 @@ else: ...@@ -9,6 +9,7 @@ else:
module = portal.getDefaultModule(portal_type='Credential Update') module = portal.getDefaultModule(portal_type='Credential Update')
credential_update = module.newContent( credential_update = module.newContent(
portal_type="Credential Update", portal_type="Credential Update",
reference=reference,
first_name=first_name, first_name=first_name,
last_name=last_name, last_name=last_name,
gender=gender, gender=gender,
...@@ -44,9 +45,14 @@ else: ...@@ -44,9 +45,14 @@ else:
# within same transaction and update client side credentials cookie # within same transaction and update client side credentials cookie
username = person.getReference() username = person.getReference()
if password and username == str(portal.portal_membership.getAuthenticatedMember()): if password and username == str(portal.portal_membership.getAuthenticatedMember()):
credential_update.accept() # The password is updated synchronously and the the rest of the credential Update is done later
portal.cookie_authentication.credentialsChanged(username, username, password) login_reference = credential_update.Credential_updatePersonPassword()
portal_status_message = "Password changed." portal_status_message = "Password changed."
context.getPortalObject().cookie_authentication.credentialsChanged(
username,
login_reference,
password,
)
portal_status_message = context.Base_translateString(portal_status_message) portal_status_message = context.Base_translateString(portal_status_message)
return portal.Base_redirect(keep_items = {'portal_status_message': portal_status_message}) return portal.Base_redirect(keep_items = {'portal_status_message': portal_status_message})
...@@ -23,6 +23,7 @@ Attribute Unicity Constraint | view ...@@ -23,6 +23,7 @@ Attribute Unicity Constraint | view
Base Category | view Base Category | view
Base Domain | view Base Domain | view
Base Type | action_view Base Type | action_view
Base Type | jump_property_sheets
Base Type | role_view Base Type | role_view
Base Type | translation_view Base Type | translation_view
Base Type | update_local_roles Base Type | update_local_roles
...@@ -79,10 +80,12 @@ Id Tool | view ...@@ -79,10 +80,12 @@ Id Tool | view
Memcached Plugin | view Memcached Plugin | view
Memcached Tool | view Memcached Tool | view
Predicate | view Predicate | view
Preference Tool Type | jump_property_sheets
Preference Tool Type | view Preference Tool Type | view
Preference Tool | advanced Preference Tool | advanced
Preference Tool | view Preference Tool | view
Preference Type | action_view Preference Type | action_view
Preference Type | jump_property_sheets
Preference Type | role_view Preference Type | role_view
Preference Type | translation_view Preference Type | translation_view
Preference Type | update_local_roles Preference Type | update_local_roles
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment