ERP5UserManager.enumerateUsers is used in two modes, exact_match=True and

exact_match=False. If exact_match were False, then % were added around the login, which ZSQLCatalog interprated as a KeyWord search automatically. Now that ZSQLCatalog supports forcing the query type, exact_match=True will force the use of an ExactMatch key and exact_match=False the use of a KeyWord key. This way logins containing SQL characters are now supported. This requires latest fixes to ZSQLCatalog. git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@22224 20353a03-c40f-0410-a6d1-a30d3c3de9de

ERP5UserManager.enumerateUsers is used in two modes, exact_match=True and
exact_match=False. If exact_match were False, then % were added around the login, which ZSQLCatalog interprated as a KeyWord search automatically. Now that ZSQLCatalog supports forcing the query type, exact_match=True will force the use of an ExactMatch key and exact_match=False the use of a KeyWord key. This way logins containing SQL characters are now supported. This requires latest fixes to ZSQLCatalog. git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@22224 20353a03-c40f-0410-a6d1-a30d3c3de9de
b7a484dd · Jérome Perrin · 2d6ecbd7 · b7a484dd · b7a484dd
Commit b7a484dd authored Jul 02, 2008 by Jérome Perrin
Showing with 45 additions and 6 deletions

product/ERP5Security/ERP5UserManager.py product/ERP5Security/ERP5UserManager.py +10 -6

product/ERP5Security/tests/testERP5Security.py product/ERP5Security/tests/testERP5Security.py +35 -0

No files found.
--- a/product/ERP5Security/ERP5UserManager.py
+++ b/product/ERP5Security/ERP5UserManager.py
@@ -150,10 +150,7 @@ class ERP5UserManager(BasePlugin):
                        }
                user_info.append(info)
              else:
-                if exact_match:
-                  id_list.append(id)
-                else:
-                  id_list.append('%%%s%%' % id)
+                id_list.append(id)

            if id_list:
              for user in self.getUserByLogin(tuple(id_list), exact_match=exact_match):
@@ -202,9 +199,16 @@ class ERP5UserManager(BasePlugin):
  
          try:
            try:
+              if exact_match:
+                reference_key = 'ExactMatch'
+              else:
+                reference_key = 'Keyword'
+
              result = portal.portal_catalog.unrestrictedSearchResults(
-                                      select_expression='reference',
-                                      portal_type="Person", reference=login)
+                                        select_expression='reference',
+                                        portal_type="Person",
+                                        reference=dict(query=login,
+                                                       key=reference_key))
            except ConflictError:
              raise
            except:

--- a/product/ERP5Security/tests/testERP5Security.py
+++ b/product/ERP5Security/tests/testERP5Security.py
@@ -170,6 +170,26 @@ class TestUserManagement(ERP5TypeTestCase):
    self._assertUserDoesNotExists('bar', 'secret')
    self._assertUserDoesNotExists('bar OR foo', 'secret')

+  def test_PersonLoginQuote(self):
+    p = self._makePerson(reference="'", password='secret',)
+    self._assertUserExists("'", 'secret')
+
+  def test_PersonLogin_OR_Keyword(self):
+    p = self._makePerson(reference='foo OR bar', password='secret',)
+    self._assertUserExists('foo OR bar', 'secret')
+    self._assertUserDoesNotExists('foo', 'secret')
+
+  def test_PersonLoginCatalogKeyWord(self):
+    # use something that would turn the username in a ZSQLCatalog catalog keyword
+    p = self._makePerson(reference="foo%", password='secret',)
+    self._assertUserExists("foo%", 'secret')
+    self._assertUserDoesNotExists("foo", 'secret')
+    self._assertUserDoesNotExists("foobar", 'secret')
+
+  def test_PersonLoginNGT(self):
+    p = self._makePerson(reference='< foo', password='secret',)
+    self._assertUserExists('< foo', 'secret')
+
  def test_PersonLoginNonAscii(self):
    """Login can contain non ascii chars."""
    p = self._makePerson(reference='j\xc3\xa9', password='secret',)
@@ -202,6 +222,21 @@ class TestUserManagement(ERP5TypeTestCase):
    from Products.ERP5Security.ERP5UserManager import SUPER_USER
    self._assertUserDoesNotExists(SUPER_USER, '')

+  def test_searchUsers(self):
+    p1 = self._makePerson(reference='person1')
+    p2 = self._makePerson(reference='person2')
+    self.assertEquals(set(['person1', 'person2']),
+      set([x['userid'] for x in
+        self.portal.acl_users.searchUsers(id='person')]))
+
+  def test_searchUsersExactMatch(self):
+    p = self._makePerson(reference='person')
+    p1 = self._makePerson(reference='person1')
+    p2 = self._makePerson(reference='person2')
+    self.assertEquals(['person', ],
+         [x['userid'] for x in 
+           self.portal.acl_users.searchUsers(id='person', exact_match=True)])
+
  def test_MultiplePersonReference(self):
    """Tests that it's refused to create two Persons with same reference."""
    self._makePerson(reference='new_person')