Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
erp5
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Léo-Paul Géneau
erp5
Commits
e8cb8fb8
Commit
e8cb8fb8
authored
Feb 27, 2019
by
Jérome Perrin
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
access_token: don't allow RestrictedAccessToken without assignments
for compatibility with login/password
parent
adb649bd
Changes
2
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
38 additions
and
0 deletions
+38
-0
bt5/erp5_access_token/SkinTemplateItem/portal_skins/erp5_access_token/RestrictedAccessToken_getUserValue.py
...s/erp5_access_token/RestrictedAccessToken_getUserValue.py
+16
-0
bt5/erp5_access_token/TestTemplateItem/portal_components/test.erp5.testERP5AccessToken.py
...teItem/portal_components/test.erp5.testERP5AccessToken.py
+22
-0
No files found.
bt5/erp5_access_token/SkinTemplateItem/portal_skins/erp5_access_token/RestrictedAccessToken_getUserValue.py
View file @
e8cb8fb8
...
...
@@ -22,6 +22,22 @@ if access_token_document.getValidationState() == 'validated':
agent_document
=
access_token_document
.
getAgentValue
()
if
agent_document
is
not
None
:
if
agent_document
.
getPortalType
()
==
'Person'
:
# if this is a token for a person, only make accept if person has valid
# assignments (for compatibility with login/password authentication)
if
agent_document
.
getValidationState
()
==
'deleted'
:
return
None
now
=
DateTime
()
for
assignment
in
agent_document
.
contentValues
(
portal_type
=
'Assignment'
):
if
assignment
.
getValidationState
()
==
"open"
and
(
not
assignment
.
hasStartDate
()
or
assignment
.
getStartDate
()
<=
now
)
and
(
not
assignment
.
hasStopDate
()
or
assignment
.
getStopDate
()
>=
now
):
break
else
:
return
None
result
=
agent_document
return
result
bt5/erp5_access_token/TestTemplateItem/portal_components/test.erp5.testERP5AccessToken.py
View file @
e8cb8fb8
...
...
@@ -137,6 +137,28 @@ class TestERP5AccessTokenSkins(AccessTokenTestCase):
result
=
self
.
_getTokenCredential
(
self
.
portal
.
REQUEST
)
self
.
assertFalse
(
result
)
def
test_token_without_assignment
(
self
):
# Token does not work when person has no open assignment
person
=
self
.
_createPerson
(
self
.
new_id
)
for
assignment
in
person
.
contentValues
(
portal_type
=
'Assignment'
):
assignment
.
close
()
access_url
=
"http://exemple.com/foo"
access_method
=
"GET"
access_token
=
self
.
_createRestrictedAccessToken
(
self
.
new_id
,
person
,
access_method
,
access_url
)
access_token
.
validate
()
self
.
tic
()
self
.
portal
.
REQUEST
.
form
[
"access_token"
]
=
access_token
.
getId
()
self
.
portal
.
REQUEST
[
"REQUEST_METHOD"
]
=
access_method
self
.
portal
.
REQUEST
[
"ACTUAL_URL"
]
=
access_url
self
.
portal
.
REQUEST
.
form
[
"access_token_secret"
]
=
access_token
.
getReference
()
result
=
self
.
_getTokenCredential
(
self
.
portal
.
REQUEST
)
self
.
assertFalse
(
result
)
def
test_RestrictedAccessToken_getUserValue
(
self
):
person
=
self
.
_createPerson
(
self
.
new_id
)
access_url
=
"http://exemple.com/foo"
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment