Commit 52c268d2 authored by Jérome Perrin's avatar Jérome Perrin Committed by Your Name

access_token: don't allow RestrictedAccessToken without assignments

for compatibility with login/password
parent c0d7d7c0
...@@ -22,6 +22,22 @@ if access_token_document.getValidationState() == 'validated': ...@@ -22,6 +22,22 @@ if access_token_document.getValidationState() == 'validated':
agent_document = access_token_document.getAgentValue() agent_document = access_token_document.getAgentValue()
if agent_document is not None: if agent_document is not None:
if agent_document.getPortalType() == 'Person':
# if this is a token for a person, only make accept if person has valid
# assignments (for compatibility with login/password authentication)
if agent_document.getValidationState() == 'deleted':
return None
now = DateTime()
for assignment in agent_document.contentValues(portal_type='Assignment'):
if assignment.getValidationState() == "open" and (
not assignment.hasStartDate() or assignment.getStartDate() <= now
) and (
not assignment.hasStopDate() or assignment.getStopDate() >= now
):
break
else:
return None
result = agent_document result = agent_document
return result return result
...@@ -137,6 +137,28 @@ class TestERP5AccessTokenSkins(AccessTokenTestCase): ...@@ -137,6 +137,28 @@ class TestERP5AccessTokenSkins(AccessTokenTestCase):
result = self._getTokenCredential(self.portal.REQUEST) result = self._getTokenCredential(self.portal.REQUEST)
self.assertFalse(result) self.assertFalse(result)
def test_token_without_assignment(self):
# Token does not work when person has no open assignment
person = self._createPerson(self.new_id)
for assignment in person.contentValues(portal_type='Assignment'):
assignment.close()
access_url = "http://exemple.com/foo"
access_method = "GET"
access_token = self._createRestrictedAccessToken(self.new_id,
person,
access_method,
access_url)
access_token.validate()
self.tic()
self.portal.REQUEST.form["access_token"] = access_token.getId()
self.portal.REQUEST["REQUEST_METHOD"] = access_method
self.portal.REQUEST["ACTUAL_URL"] = access_url
self.portal.REQUEST.form["access_token_secret"] = access_token.getReference()
result = self._getTokenCredential(self.portal.REQUEST)
self.assertFalse(result)
def test_RestrictedAccessToken_getUserValue(self): def test_RestrictedAccessToken_getUserValue(self):
person = self._createPerson(self.new_id) person = self._createPerson(self.new_id)
access_url = "http://exemple.com/foo" access_url = "http://exemple.com/foo"
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment