Commit cd6b02e2 authored by Jérome Perrin's avatar Jérome Perrin Committed by Your Name

access_token: don't allow RestrictedAccessToken without another login

This keep the current behavior. Invalidating all logins is also a way to
disable login for this user without having to find all tokens and
invalidate them one by one
parent 52c268d2
...@@ -24,7 +24,8 @@ if access_token_document.getValidationState() == 'validated': ...@@ -24,7 +24,8 @@ if access_token_document.getValidationState() == 'validated':
if agent_document is not None: if agent_document is not None:
if agent_document.getPortalType() == 'Person': if agent_document.getPortalType() == 'Person':
# if this is a token for a person, only make accept if person has valid # if this is a token for a person, only make accept if person has valid
# assignments (for compatibility with login/password authentication) # assignments and a validated login (for compatibility with login/password
# authentication)
if agent_document.getValidationState() == 'deleted': if agent_document.getValidationState() == 'deleted':
return None return None
now = DateTime() now = DateTime()
...@@ -38,6 +39,12 @@ if access_token_document.getValidationState() == 'validated': ...@@ -38,6 +39,12 @@ if access_token_document.getValidationState() == 'validated':
else: else:
return None return None
user, = context.getPortalObject().acl_users.searchUsers(
exact_match=True,
id=agent_document.Person_getUserId())
if not user['login_list']:
return None
result = agent_document result = agent_document
return result return result
...@@ -50,7 +50,8 @@ class AccessTokenTestCase(ERP5TypeTestCase): ...@@ -50,7 +50,8 @@ class AccessTokenTestCase(ERP5TypeTestCase):
reference='TESTP-' + new_id) reference='TESTP-' + new_id)
if password: if password:
person.setPassword(password) person.setPassword(password)
person.newContent(portal_type = 'Assignment').open() person.newContent(portal_type='Assignment').open()
person.newContent(portal_type='ERP5 Login', reference=new_id).validate()
self.tic() self.tic()
return person return person
...@@ -159,6 +160,28 @@ class TestERP5AccessTokenSkins(AccessTokenTestCase): ...@@ -159,6 +160,28 @@ class TestERP5AccessTokenSkins(AccessTokenTestCase):
result = self._getTokenCredential(self.portal.REQUEST) result = self._getTokenCredential(self.portal.REQUEST)
self.assertFalse(result) self.assertFalse(result)
def test_token_without_login(self):
# Token does not work when person has no validated login
person = self._createPerson(self.new_id)
for login in person.contentValues(portal_type='ERP5 Login'):
login.invalidate()
access_url = "http://exemple.com/foo"
access_method = "GET"
access_token = self._createRestrictedAccessToken(self.new_id,
person,
access_method,
access_url)
access_token.validate()
self.tic()
self.portal.REQUEST.form["access_token"] = access_token.getId()
self.portal.REQUEST["REQUEST_METHOD"] = access_method
self.portal.REQUEST["ACTUAL_URL"] = access_url
self.portal.REQUEST.form["access_token_secret"] = access_token.getReference()
result = self._getTokenCredential(self.portal.REQUEST)
self.assertFalse(result)
def test_RestrictedAccessToken_getUserValue(self): def test_RestrictedAccessToken_getUserValue(self):
person = self._createPerson(self.new_id) person = self._createPerson(self.new_id)
access_url = "http://exemple.com/foo" access_url = "http://exemple.com/foo"
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment