Commit ee55320a authored by Xiaowu Zhang's avatar Xiaowu Zhang Committed by Jérome Perrin

erp5_authentication_policy: prevent to create too much credential recovery

parent 7c72a354
...@@ -25,12 +25,16 @@ recovery_list = portal.portal_catalog( ...@@ -25,12 +25,16 @@ recovery_list = portal.portal_catalog(
limit=1) limit=1)
if recovery_list: if recovery_list:
return return
tag = 'credential_recovery_%s' %context.getReference()
if portal.portal_activities.countMessageWithTag(tag):
return
module = portal.getDefaultModule(portal_type='Credential Recovery') module = portal.getDefaultModule(portal_type='Credential Recovery')
credential_recovery = module.newContent( credential_recovery = module.newContent(
portal_type="Credential Recovery", portal_type="Credential Recovery",
reference=username, reference=username,
destination_decision_value=user, destination_decision_value=user,
language=portal.Localizer.get_selected_language()) language=portal.Localizer.get_selected_language(),
activate_kw={'tag': tag})
context.serialize() context.serialize()
credential_recovery.submit() credential_recovery.submit()
...@@ -634,13 +634,16 @@ class TestAuthenticationPolicy(ERP5TypeTestCase): ...@@ -634,13 +634,16 @@ class TestAuthenticationPolicy(ERP5TypeTestCase):
basic=self.id() + ':password', basic=self.id() + ':password',
) )
# User cannot login # User cannot login
# fire 5 requests, only 1 credential recovery should be created
for i in range(5):
response = publish() response = publish()
self.assertTrue(response.getHeader("Location").endswith("login_form")) self.assertTrue(response.getHeader("Location").endswith("login_form"))
self.tic() self.tic()
# and a credential recovery is created automatically # and a credential recovery is created automatically
credential_recovery, = person.getDestinationDecisionRelatedValueList( credential_recovery_list = person.getDestinationDecisionRelatedValueList(
portal_type='Credential Recovery') portal_type='Credential Recovery')
self.assertEqual(len(credential_recovery_list), 1)
# trying to login again does not create a new credential recovery # trying to login again does not create a new credential recovery
response = publish() response = publish()
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment