authentication_policy: fix credential recovery on password expiration

Credential Recovery are supposed to be related to persons, not logins.
Extend the tests to make sure that after the credential recovery is
accepted a reset password email is sent and fix authentication_policy
scripts to create a Credential Recovery related to the person.

bt5/erp5_authentication_policy/SkinTemplateItem/portal_skins/erp5_authentication_policy/Login_notifyPasswordExpire.py

@@ -9,25 +9,28 @@ portal = context.getPortalObject()
 portal_preferences = portal.portal_preferences
 
 if not portal_preferences.isAuthenticationPolicyEnabled() or \
-   not portal.portal_preferences.isPreferredSystemRecoverExpiredPassword():
+   not portal_preferences.isPreferredSystemRecoverExpiredPassword():
   # no policy, no sense to file expire at all or symply system do not configured to
-  return 0
+  return
+
+user = context.getParentValue()
+username = context.getReference()
 
 # Prevent creating new recovery if one was recently created
 recovery_list = portal.portal_catalog(
   portal_type="Credential Recovery",
-  reference=context.getReference(),
-  default_destination_decision_uid=context.getUid(),
+  reference=username,
+  default_destination_decision_uid=user.getUid(),
   creation_date=Query(range="min", creation_date=addToDate(DateTime(), {'day': -1})),
   limit=1)
-if (len(recovery_list) > 0):
-  return 0
+if recovery_list:
+  return
 
 module = portal.getDefaultModule(portal_type='Credential Recovery')
 credential_recovery = module.newContent(
-                               portal_type="Credential Recovery",
-                               reference=context.getReference(),
-                               destination_decision_value=context,
-                               language=portal.Localizer.get_selected_language())
+    portal_type="Credential Recovery",
+    reference=username,
+    destination_decision_value=user,
+    language=portal.Localizer.get_selected_language())
 context.serialize()
 credential_recovery.submit()

product/ERP5/tests/testAuthenticationPolicy.py

@@ -598,7 +598,8 @@ class TestAuthenticationPolicy(ERP5TypeTestCase):
     self.tic()
 
     person = self.createUser(self.id(), password='password')
-    assignment = person.newContent(portal_type = 'Assignment')
+    person.setDefaultEmailCoordinateText('user@example.com')
+    assignment = person.newContent(portal_type='Assignment')
     assignment.open()
     login = person.objectValues(portal_type='ERP5 Login')[0]
 
@@ -618,15 +619,22 @@ class TestAuthenticationPolicy(ERP5TypeTestCase):
     self.tic()
 
     # and a credential recovery is created automatically
-    credential_recovery, = login.getDestinationDecisionRelatedValueList(
+    credential_recovery, = person.getDestinationDecisionRelatedValueList(
         portal_type='Credential Recovery')
 
     # trying to login again does not create a new credential recovery
     response = publish()
+    self.assertTrue(response.getHeader("Location").endswith("login_form"))
     self.tic()
-    credential_recovery, = login.getDestinationDecisionRelatedValueList(
+    credential_recovery, = person.getDestinationDecisionRelatedValueList(
         portal_type='Credential Recovery')
 
+    credential_recovery.accept()
+    self.tic()
+    _, (to,), message = self.portal.MailHost._last_message
+    self.assertEqual(to, 'user@example.com')
+    self.assertIn('Password Recovery', message)
+
   def test_HttpRequest(self):
     """
       Check HTTP responses