Improved credential validation.

- added `CMS_USER_API.user_with_credential (...): detachable CMS_USER` that check if credential is valid, and return associated user.
  - replaced use of `is_valid_credential` by new function `user_with_credential` .
  - revisited the session auth, to allow other credential validations (other than ROC CMS auth).
  - added CMS_USER_API.credential_validations to allow authenticating with system other than ROC CMS.
Added new permission to allow by-passing the default ROC-CMS user login/register management:
  - new permission to edit its own account.
  - new permission to edit its own password.
  - new permission to view users details (mostly for user managers).

modules/auth/cms_authentication_api.e

@@ -15,7 +15,7 @@ create {CMS_AUTHENTICATION_MODULE}
 
 feature -- Token Generation
 
-	register_user (u: CMS_TEMP_USER; a_email: READABLE_STRING_8; a_personal_information: READABLE_STRING_8)
+	register_user (u: CMS_TEMP_USER; a_email: READABLE_STRING_8; a_personal_information: READABLE_STRING_GENERAL)
 		local
 			l_user_api: CMS_USER_API
 			l_url_activate: STRING
@@ -24,7 +24,11 @@ feature -- Token Generation
 			es: CMS_AUTHENTICATION_EMAIL_SERVICE
 		do
 			l_user_api := cms_api.user_api
+			
+				-- New temp user
+			u.set_personal_information (a_personal_information)
 			l_user_api.new_temp_user (u)
+
 				-- Create activation token
 			l_token := new_token
 			l_user_api.new_activation (l_token, u.id)

modules/auth/cms_authentication_module.e

@@ -79,8 +79,10 @@ feature -- Access
 			Result.force ("account activate")
 			Result.force ("account reject")
 			Result.force ("account reactivate")
+			Result.force ("edit own account")
 			Result.force ("change own username")
-			Result.force ("view user")
+			Result.force ("change own password")
+			Result.force ("view users")
 		end
 
 	auth_api: detachable CMS_AUTHENTICATION_API
@@ -303,9 +305,11 @@ feature -- Handler
 				lnk.set_weight (1)
 				r.add_to_primary_tabs (lnk)
 
-				create lnk.make ("Edit", "account/edit")
-				lnk.set_weight (2)
-				r.add_to_primary_tabs (lnk)
+				if r.has_permission ("edit own account") then
+					create lnk.make ("Edit", "account/edit")
+					lnk.set_weight (2)
+					r.add_to_primary_tabs (lnk)
+				end
 			end
 
 			a_auth_api.cms_api.hooks.invoke_form_alter (f, Void, r)
@@ -327,51 +331,59 @@ feature -- Handler
 			lnk: CMS_LOCAL_LINK
 			l_form: CMS_FORM
 		do
-			create {GENERIC_VIEW_CMS_RESPONSE} r.make (req, res, a_auth_api.cms_api)
-			create b.make_empty
-			l_user := r.user
-			create l_form.make (r.location, edit_account_form_id)
-			if attached smarty_template_block (Current, "account_edit", a_auth_api.cms_api) as l_tpl_block then
-				l_tpl_block.set_weight (-10)
-				r.add_block (l_tpl_block, "content")
-			else
-				debug ("cms")
-					r.add_warning_message ("Error with block [resources_page]")
+			if a_auth_api.cms_api.has_permission ("edit own account") then
+				create {GENERIC_VIEW_CMS_RESPONSE} r.make (req, res, a_auth_api.cms_api)
+				create b.make_empty
+				l_user := r.user
+				create l_form.make (r.location, edit_account_form_id)
+				if attached smarty_template_block (Current, "account_edit", a_auth_api.cms_api) as l_tpl_block then
+					l_tpl_block.set_weight (-10)
+					r.add_block (l_tpl_block, "content")
+				else
+					debug ("cms")
+						r.add_warning_message ("Error with block [resources_page]")
+					end
+					-- Build CMS form...
 				end
-				-- Build CMS form...
-			end
-			create lnk.make ("View", "account/")
-			lnk.set_weight (1)
-			r.add_to_primary_tabs (lnk)
+				create lnk.make ("View", "account/")
+				lnk.set_weight (1)
+				r.add_to_primary_tabs (lnk)
 
-			create lnk.make ("Edit", "account/edit")
-			lnk.set_weight (2)
-			r.add_to_primary_tabs (lnk)
+				create lnk.make ("Edit", "account/edit")
+				lnk.set_weight (2)
+				r.add_to_primary_tabs (lnk)
 
-			if
-				r.has_permission ("change own username") and then
-				attached new_change_username_form (r) as f
-			then
-				f.append_to_html (r.wsf_theme, b)
-			end
-			if attached new_change_profile_name_form (r) as f then
-				f.append_to_html (r.wsf_theme, b)
-			end
-			if attached new_change_password_form (r) as f then
-				f.append_to_html (r.wsf_theme, b)
-			end
-			if attached new_change_email_form (r) as f then
-				f.append_to_html (r.wsf_theme, b)
-			end
+				if
+					r.has_permission ("change own username") and then
+					attached new_change_username_form (r) as f
+				then
+					f.append_to_html (r.wsf_theme, b)
+				end
+				if attached new_change_profile_name_form (r) as f then
+					f.append_to_html (r.wsf_theme, b)
+				end
 
-			l_form.append_to_html (r.wsf_theme, b)
+				if
+					r.has_permission ("change own password") and then
+					attached new_change_password_form (r) as f
+				then
+					f.append_to_html (r.wsf_theme, b)
+				end
+				if attached new_change_email_form (r) as f then
+					f.append_to_html (r.wsf_theme, b)
+				end
 
-			r.set_main_content (b)
+				l_form.append_to_html (r.wsf_theme, b)
 
-			if l_user = Void then
-				r.set_redirection ("account")
+				r.set_main_content (b)
+
+				if l_user = Void then
+					r.set_redirection ("account")
+				end
+				r.execute
+			else
+				a_auth_api.cms_api.response_api.send_access_denied ("Can not edit your acocunt", req, res)
 			end
-			r.execute
 		end
 
 	handle_login (a_auth_api: CMS_AUTHENTICATION_API; req: WSF_REQUEST; res: WSF_RESPONSE)
@@ -486,14 +498,12 @@ feature -- Handler
 								--| reCaptcha is not setup, so no verification
 							l_captcha_passed := True
 						end
-						if not l_exist then
+						if l_captcha_passed and then not l_exist then
 								-- New temp user
 							create u.make (l_name)
 							u.set_email (l_email)
 							u.set_password (l_password)
 							u.set_personal_information (l_personal_information)
-							l_user_api.new_temp_user (u)
-
 							a_auth_api.register_user (u, l_email, l_personal_information)
 						else
 							r.set_value (l_name, "name")

modules/basic_auth/filter/cms_basic_auth_filter.e

@@ -35,8 +35,7 @@ feature -- Basic operations
 				attached l_auth.password as l_auth_password
 			then
 				if
-					api.user_api.is_valid_credential (l_auth_login, l_auth_password) and then
-					attached api.user_api.user_by_name (l_auth_login) as l_user
+					attached api.user_api.user_with_credential (l_auth_login, l_auth_password) as l_user
 				then
 					if api.user_has_permission (l_user, {CMS_BASIC_AUTH_MODULE}.perm_use_basic_auth) then
 						debug ("refactor_fixme")

modules/basic_auth/filter/cms_basic_webapi_auth_filter.e

@@ -26,8 +26,7 @@ feature -- Basic operations
 				attached l_auth.password as l_auth_password
 			then
 				if
-					api.user_api.is_valid_credential (l_auth_login, l_auth_password) and then
-					attached api.user_api.user_by_name (l_auth_login) as l_user
+					attached api.user_api.user_with_credential (l_auth_login, l_auth_password) as l_user
 				then
 					if api.user_has_permission (l_user, {CMS_BASIC_AUTH_MODULE}.perm_use_basic_auth) then
 						api.set_user (l_user)

modules/session_auth/cms_session_auth_module.e

@@ -197,38 +197,17 @@ feature {NONE} -- Implementation: routes
 			then
 				l_username_or_email := p_username.value
 				l_password := p_password.value
-				l_user := api.user_api.user_by_name (l_username_or_email)
-				if l_user = Void then
-					l_user := api.user_api.user_by_email (l_username_or_email)
-				end
-				if l_user = Void then
-					l_tmp_user := api.user_api.temp_user_by_name (l_username_or_email)
-					if l_tmp_user = Void then
-						l_tmp_user := api.user_api.temp_user_by_email (l_username_or_email)
-					end
-					if
-						l_tmp_user /= Void and then
-						api.user_api.is_valid_temp_user_credential (l_tmp_user.name, l_password)
-					then
+				l_user := api.user_api.user_with_credential (l_username_or_email, l_password)
+				if l_user /= Void then
+					if attached {CMS_TEMP_USER} l_user as l_temp_user then
 						create {GENERIC_VIEW_CMS_RESPONSE} r.make (req, res, api)
 						if attached smarty_template_login_block (req, Current, "login", api) as l_tpl_block then
 							l_tpl_block.set_value (l_username_or_email, "username")
-							l_tpl_block.set_value ("Error: Inactive account (or not yet validated)!", "error")
+							l_tpl_block.set_value ("Error: the account is inactive, or not yet validated!", "error")
 							r.add_block (l_tpl_block, "content")
 						end
 					else
-						create {GENERIC_VIEW_CMS_RESPONSE} r.make (req, res, api)
-						if attached smarty_template_login_block (req, Current, "login", api) as l_tpl_block then
-							l_tpl_block.set_value (l_username_or_email, "username")
-							l_tpl_block.set_value ("Wrong username or password ", "error")
-							r.add_block (l_tpl_block, "content")
-						end
-					end
-				else
-					l_username := l_user.name
-					if api.user_api.is_valid_credential (l_username, l_password) then
 						a_session_api.process_user_login (l_user, req, res)
-
 						create {GENERIC_VIEW_CMS_RESPONSE} r.make (req, res, api)
 						if
 							attached {WSF_STRING} req.item ("destination") as p_destination and then
@@ -239,13 +218,13 @@ feature {NONE} -- Implementation: routes
 						else
 							r.set_redirection ("")
 						end
-					else
-						create {GENERIC_VIEW_CMS_RESPONSE} r.make (req, res, api)
-						if attached smarty_template_login_block (req, Current, "login", api) as l_tpl_block then
-							l_tpl_block.set_value (l_username_or_email, "username")
-							l_tpl_block.set_value ("Wrong username or password ", "error")
-							r.add_block (l_tpl_block, "content")
-						end
+					end
+				else
+					create {GENERIC_VIEW_CMS_RESPONSE} r.make (req, res, api)
+					if attached smarty_template_login_block (req, Current, "login", api) as l_tpl_block then
+						l_tpl_block.set_value (l_username_or_email, "username")
+						l_tpl_block.set_value ("Wrong username or password ", "error")
+						r.add_block (l_tpl_block, "content")
 					end
 				end
 				r.execute