PasswordTool: verify password match confirmation

This is supposed to be catched by an external validator on the field, but checking the one more time here supports custom dialogs where there might not be form level validation.

PasswordTool: verify password match confirmation
This is supposed to be catched by an external validator on the field, but checking the one more time here supports custom dialogs where there might not be form level validation.
05a3390b · Jérome Perrin · 4cd0f2d8 · 05a3390b · 05a3390b
Commit 05a3390b authored Jun 15, 2023 by Jérome Perrin
2 changed files
--- a/bt5/erp5_core_test/TestTemplateItem/portal_components/test.erp5.testPasswordTool.py
+++ b/bt5/erp5_core_test/TestTemplateItem/portal_components/test.erp5.testPasswordTool.py
@@ -230,6 +230,21 @@ class TestPasswordTool(ERP5TypeTestCase):
    self.assertFalse(list(six.iterkeys(
      self.portal.portal_password._password_request_dict)))

+  def test_password_reset_password_and_confirmation_do_not_match(self):
+    self.portal.portal_password.mailPasswordResetRequest(
+      user_login='userA-login', REQUEST=self.portal.REQUEST)
+    reset_key, = list(six.iterkeys(
+      self.portal.portal_password._password_request_dict))
+
+    ret = self.portal.portal_password.changeUserPassword(
+        user_login="userA-login",
+        password="new-password",
+        password_confirm="wrong-password",
+        password_key=reset_key)
+    query_string_param = parse_qsl(urlparse(str(ret)).query)
+    self.assertIn(("portal_status_message", "Password does not match the confirm password."), query_string_param)
+    self.assertIn(("portal_status_level", "error"), query_string_param)
+
  def test_two_concurrent_password_reset(self):
    self._createUser('userB')
    self._assertUserExists('userA-login', 'userA-password')

--- a/product/ERP5/bootstrap/erp5_core/ToolComponentTemplateItem/portal_components/tool.erp5.PasswordTool.py
+++ b/product/ERP5/bootstrap/erp5_core/ToolComponentTemplateItem/portal_components/tool.erp5.PasswordTool.py
@@ -268,7 +268,6 @@ class PasswordTool(BaseTool):
    """
    Reset the password for a given login
    """
-    # BBB: password_confirm: unused argument
    def error(message):
      # BBB: should "raise Redirect" instead of just returning, simplifying
      #      calling code and making mistakes more difficult
@@ -293,6 +292,8 @@ class PasswordTool(BaseTool):
    if user_login is not None and register_user_login != user_login:
      # XXX: not descriptive enough
      return error("Bad login provided.")
+    if password_confirm is not None and password_confirm != password:
+      return error("Password does not match the confirm password.")
    if DateTime() > expiration_date:
      return error("Date has expired.")
    del self._password_request_dict[password_key]