Avoid using old path for http_authorization.

modules/admin/handler/user/cms_admin_users_handler.e

@@ -108,6 +108,16 @@ feature -- HTTP Methods
 						s.append ("%">")
 						s.append (html_encoded (u.name))
 						s.append ("</a>")
+						if attached user_api.user_roles (u) as l_roles and then not l_roles.is_empty then
+							s.append (" <span class=%"cms_roles%">(")
+							across
+								l_roles as ic_roles
+							loop
+								s.append (html_encoded (ic_roles.item.name))
+								s.append (" ")
+							end
+							s.append (")</span>")
+						end
 						s.append ("</li>%N")
 					end
 					s.append ("</ul>%N")

modules/admin/handler/user/cms_user_form_response.e

@@ -386,6 +386,9 @@ feature -- Form
 			-- Update node `a_node' with form_data `a_form_data' for the given content type `a_content_type'.
 		local
 			l_uroles: LIST [CMS_USER_ROLE]
+			l_new_roles: detachable ARRAYED_LIST [CMS_USER_ROLE]
+			r: detachable CMS_USER_ROLE
+			rid: INTEGER
 		do
 			if attached a_form_data.string_item ("op") as f_op then
 				if f_op.is_case_insensitive_equal_general ("Update user role") then
@@ -394,23 +397,53 @@ feature -- Form
 					then
 						l_uroles := api.user_api.user_roles (l_user)
 						l_uroles.compare_objects
-						if attached {WSF_STRING} a_form_data.item ("cms_roles") as l_role then
+
-							if attached api.user_api.user_role_by_id (l_role.integer_value) as role then
+						if attached {WSF_STRING} a_form_data.item ("cms_roles") as p_role_id then
-								if not l_uroles.has (role) then
+							rid := p_role_id.integer_value
-									api.user_api.assign_role_to_user (role, a_user)
+							r := api.user_api.user_role_by_id (rid)
+							if r /= Void then
+								create l_new_roles.make (0)
+								l_new_roles.force (r)
+							end
+						elseif attached {WSF_MULTIPLE_STRING} a_form_data.item ("cms_roles") as p_roles_ids then
+							create l_new_roles.make (p_roles_ids.values.count)
+							across
+								p_roles_ids as ic
+							loop
+								rid := ic.item.integer_value
+								r := api.user_api.user_role_by_id (rid)
+								if r /= Void then
+									l_new_roles.force (r)
 								end
 							end
-						elseif attached {WSF_MULTIPLE_STRING} a_form_data.item ("cms_roles") as l_roles then
+						end
-							across l_roles as ic loop
+						if l_new_roles = Void or else l_new_roles.is_empty then
-								if attached api.user_api.user_role_by_id (ic.item.integer_value) as role then
+							across
-									if not l_uroles.has (role) then
+								l_uroles as ic
-										api.user_api.assign_role_to_user (role, a_user)
+							loop
-									end
+								r := ic.item
-								end
+								api.user_api.unassign_role_from_user (r, a_user)
 							end
 						else
-							across api.user_api.roles as ic  loop
+							across
-								api.user_api.unassign_role_from_user (ic.item, a_user)
+								l_new_roles as ic
+							loop
+								r := ic.item
+								if l_uroles.has (r) then
+										-- Already assigned to that role.
+								else
+									api.user_api.assign_role_to_user (ic.item, a_user)
+								end
+							end
+								-- Remove other roles for `a_user'.
+							l_new_roles.compare_objects
+							across
+								l_uroles as ic
+							loop
+								r := ic.item
+								if not l_new_roles.has (r) then
+									api.user_api.unassign_role_from_user (r, a_user)
+								end
 							end
 						end
 						add_success_message ("Roles updated")

modules/auth/cms_authentication_module.e

@@ -1,7 +1,7 @@
 note
 	description: "Module Auth"
-	date: "$Date$"
+	date: "$Date: 2016-04-13 10:59:18 +0200 (mer., 13 avr. 2016) $"
-	revision: "$Revision$"
+	revision: "$Revision: 98616 $"
 
 class
 	CMS_AUTHENTICATION_MODULE
@@ -159,7 +159,7 @@ feature -- Hooks configuration
 				l_url_name := "site_sign_in_url"
 				l_url := a_response.url (roc_login_location, Void)
 			end
-			if l_destination /= Void then
+			if l_destination /= Void and then not l_url.has_substring ("?destination") then
 				l_url.append ("?destination=" + percent_encoded (l_destination))
 			end
 			a_value.force (l_url, l_url_name)
@@ -324,10 +324,10 @@ feature -- Handler
 			else
 				loc := ""
 			end
-
+				-- Do not try to redirect to previous page or destination!
-			if attached {WSF_STRING} req.query_parameter ("destination") as l_destination then
+--			if attached {WSF_STRING} req.query_parameter ("destination") as l_destination then
-				loc.append ("?destination=" + l_destination.url_encoded_value)
+--				loc.append ("?destination=" + l_destination.url_encoded_value)
-			end
+--			end
 			r.set_redirection (loc)
 			r.execute
 		end

modules/node/node.ecf

@@ -17,7 +17,7 @@
 		<library name="cms_taxonomy_module" location="..\..\modules\taxonomy\taxonomy.ecf" readonly="false"/>
 		<library name="error" location="$ISE_LIBRARY\contrib\library\utility\general\error\error.ecf"/>
 		<library name="http" location="$ISE_LIBRARY\contrib\library\network\protocol\http\http.ecf"/>
-		<library name="http_authorization" location="$ISE_LIBRARY\contrib\library\network\authentication\http_authorization\http_authorization.ecf" readonly="false"/>
+		<library name="http_authorization" location="$ISE_LIBRARY\contrib\library\web\authentication\http_authorization\http_authorization.ecf" readonly="false"/>
 		<library name="json" location="$ISE_LIBRARY\contrib\library\text\parser\json\library\json.ecf"/>
 		<library name="text_filter" location="$ISE_LIBRARY\unstable\library\text\text_filter\text_filter.ecf"/>
 		<library name="time" location="$ISE_LIBRARY\library\time\time.ecf"/>

modules/session_auth/cms_session_auth_module.e

@@ -3,8 +3,8 @@ note
 			This module allows the use Session Based Authentication using Cookies to restrict access
 			by looking up users in the given providers.
 		]"
-	date: "$Date$"
+	date: "$Date: 2016-04-27 16:04:18 +0200 (mer., 27 avr. 2016) $"
-	revision: "$Revision$"
+	revision: "$Revision: 98643 $"
 
 class
 	CMS_SESSION_AUTH_MODULE
@@ -115,7 +115,7 @@ feature -- Access: router
 			if attached session_api as l_session_api then
 				a_router.handle ("/" + login_location, create {WSF_URI_AGENT_HANDLER}.make (agent handle_login (a_api, ?, ?)), a_router.methods_head_get)
 				a_router.handle ("/" + logout_location, create {WSF_URI_AGENT_HANDLER}.make (agent handle_logout (a_api, l_session_api, ?, ?)), a_router.methods_get_post)
-				a_router.handle ("/account/auth/roc-session-login", create {WSF_URI_TEMPLATE_AGENT_HANDLER}.make (agent handle_login_with_session (a_api,session_api, ?, ?)), a_router.methods_get_post)
+				a_router.handle ("/" + login_location, create {WSF_URI_AGENT_HANDLER}.make (agent handle_login_with_session (a_api,session_api, ?, ?)), a_router.methods_post)
 			end
 		end
 
@@ -172,9 +172,10 @@ feature {NONE} -- Implementation: routes
 				attached api.user as l_user
 			then
 					-- Logout Session
-				create l_cookie.make (tok, l_cookie_token.value) -- FIXME: unicode issue?
+				create l_cookie.make (tok, "") -- l_cookie_token.value) -- FIXME: unicode issue?
 				l_cookie.set_path ("/")
-				l_cookie.set_max_age (-1)
+				l_cookie.unset_max_age
+				l_cookie.set_expiration_date (create {DATE_TIME}.make_from_epoch (0))
 				res.add_cookie (l_cookie)
 				api.unset_user
 
@@ -216,8 +217,12 @@ feature {NONE} -- Implementation: routes
 					api.record_user_login (l_user)
 
 					create {GENERIC_VIEW_CMS_RESPONSE} r.make (req, res, api)
-					if attached {WSF_STRING} req.item ("destination") as p_destination then
+					if
-						r.set_redirection (p_destination.url_encoded_value)
+						attached {WSF_STRING} req.item ("destination") as p_destination and then
+						attached p_destination.value as v and then
+						v.is_valid_as_string_8
+					then
+						r.set_redirection (v.to_string_8)
 					else
 						r.set_redirection ("")
 					end