Commit 15730c94 authored by Vincent Pelletier's avatar Vincent Pelletier

erp5_authentication_policy: Do not cache password expiration state.

Caching in authentication-related work is not a good idea.
Also, simplify the resulting script:
- do not load Password Event from ZODB, just use the creation_date found by
  catalog
- reorder accesses to only do them when they are needed (ex: preferences)
- factorise access to persistent objects (portal_preferences)
- fix coding style: space after comma, no space around named-argument equal
  signs, 2-spaces indentation, spaces around multiplication and division
  operators, upper-case pseudo-constant
- factorise now vs. expire_date comparison, getting rid of the mishandled
  "now == expire_date" edge case in original code
- remove commented-out code and obvious comments
- DateTime is already implicitly bound in any script's globals, no need to
  explicitly import it.
In turn, this allows removing immediate reindexation on corresponding scripts,
as immediate reindexation will be disallowed for restricted python.
parent dbd5c0d0
...@@ -2,43 +2,30 @@ ...@@ -2,43 +2,30 @@
Returns if user account is Person's password is expired. Returns if user account is Person's password is expired.
Start password recovery process for expired password (if configured). Start password recovery process for expired password (if configured).
""" """
from Products.ERP5Type.Cache import CachingMethod
request = context.REQUEST
portal = context.getPortalObject() portal = context.getPortalObject()
is_password_expired = False
def _isPasswordExpired(): expire_date_warning = 0
from DateTime import DateTime password_event_list = portal.portal_catalog(
one_hour = 1/24.0 select_list=['creation_date'],
portal_type='Password Event',
default_destination_uid=context.getUid(),
validation_state='confirmed',
sort_on=(('creation_date', 'DESC'), ),
limit=1,
)
if password_event_list:
ONE_HOUR = 1 / 24.0
portal_preferences = portal.portal_preferences
expire_date = password_event_list[0].creation_date + portal_preferences.getPreferredMaxPasswordLifetimeDuration() * ONE_HOUR
now = DateTime() now = DateTime()
max_password_lifetime_duration = portal.portal_preferences.getPreferredMaxPasswordLifetimeDuration() if expire_date < now:
password_lifetime_expire_warning_duration = portal.portal_preferences.getPreferredPasswordLifetimeExpireWarningDuration() # password is expired
last_password_event = portal.portal_catalog.getResultValue( is_password_expired = True
portal_type = 'Password Event', else:
default_destination_uid = context.getUid(), password_lifetime_expire_warning_duration = portal_preferences.getPreferredPasswordLifetimeExpireWarningDuration()
validation_state = 'confirmed', if password_lifetime_expire_warning_duration and now > expire_date - password_lifetime_expire_warning_duration * ONE_HOUR:
sort_on = (('creation_date', 'DESC',),)) expire_date_warning = expire_date
expire_date_warning = 0 request = portal.REQUEST
if last_password_event is not None:
last_password_modification_date = last_password_event.getCreationDate()
expire_date = last_password_modification_date + max_password_lifetime_duration*one_hour
if password_lifetime_expire_warning_duration not in (0, None,):
# calculate early warning period
if now > expire_date - password_lifetime_expire_warning_duration*one_hour and \
expire_date > now:
expire_date_warning = expire_date
if expire_date < now:
# password is expired
#context.log('expired %s' %context.getReference())
return True, expire_date_warning
return False, expire_date_warning
_isPasswordExpired = CachingMethod(_isPasswordExpired,
id='Person_isPasswordExpired_%s' %context.getReference(),
cache_factory='erp5_content_short')
is_password_expired, expire_date = _isPasswordExpired()
request.set('is_user_account_password_expired', is_password_expired) request.set('is_user_account_password_expired', is_password_expired)
request.set('is_user_account_password_expired_expire_date', expire_date) request.set('is_user_account_password_expired_expire_date', expire_date_warning)
return is_password_expired return is_password_expired
...@@ -29,7 +29,5 @@ credential_recovery = module.newContent( ...@@ -29,7 +29,5 @@ credential_recovery = module.newContent(
reference=context.getReference(), reference=context.getReference(),
destination_decision_value=context, destination_decision_value=context,
language=portal.Localizer.get_selected_language()) language=portal.Localizer.get_selected_language())
# immediate reindex allowed because it is a new object
credential_recovery.immediateReindexObject()
context.serialize() context.serialize()
credential_recovery.submit() credential_recovery.submit()
...@@ -13,6 +13,3 @@ if portal.portal_preferences.getPreferredNumberOfLastPasswordToCheck() or \ ...@@ -13,6 +13,3 @@ if portal.portal_preferences.getPreferredNumberOfLastPasswordToCheck() or \
destination_value=login, destination_value=login,
password=current_password) password=current_password)
password_event.confirm() password_event.confirm()
# Person_isPasswordExpired cache the wrong result if document is not in catalog.
# As the document is created in the same transaction, it is possible to force reindexation
password_event.immediateReindexObject()
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment