From 98b3859f5e92fb0d48ff6207959304c8f00de109 Mon Sep 17 00:00:00 2001 From: Ross Patterson Date: Sun, 26 Dec 2021 12:13:11 -0800 Subject: [PATCH] fix(auth): API login for Zope root acl_users user The Plone login handling code depends on the user's password being at the same place in the request as the classic Plone login form puts it in order to set the correct authentication cookie. Without it, when logging in via the Volto UI component as a user from the Zope root `acl_users` (e.g. `admin` or `SITE_OWNER_NAME`), they aren't logged into Plone classic. The other direction is fine, logging in as `admin` to Plone classic results in a new request to the Volto UI being logged in. Fix that edge case by mimicking the request keys of the login form after parsing the login POST JSON body. --- news/1303.feature | 2 ++ src/plone/restapi/services/auth/login.py | 6 ++++-- 2 files changed, 6 insertions(+), 2 deletions(-) create mode 100644 news/1303.feature diff --git a/news/1303.feature b/news/1303.feature new file mode 100644 index 0000000000..7100014e67 --- /dev/null +++ b/news/1303.feature @@ -0,0 +1,2 @@ +Logging in to or out of Plone classic or the API does the same in the other. +[rpatterson] diff --git a/src/plone/restapi/services/auth/login.py b/src/plone/restapi/services/auth/login.py index b0d65c6648..b51962dcb9 100644 --- a/src/plone/restapi/services/auth/login.py +++ b/src/plone/restapi/services/auth/login.py @@ -28,8 +28,10 @@ def reply(self): if "IDisableCSRFProtection" in dir(plone.protect.interfaces): alsoProvides(self.request, plone.protect.interfaces.IDisableCSRFProtection) - userid = data["login"] - password = data["password"] + # Also add credentials to the request for other code that depends on it. In + # particular, the PAS cookie authentication plugin depends on `__ac_password`. + userid = self.request.form["__ac_name"] = data["login"] + password = self.request.form["__ac_password"] = data["password"] uf = self._find_userfolder(userid) if uf is not None: