collective
diff --git a/‎backend/Makefile‎
Lines changed: 1 addition & 1 deletion b/‎backend/Makefile‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎backend/pyproject.toml‎
Lines changed: 5 additions & 1 deletion b/‎backend/pyproject.toml‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎backend/src/collective/techevent/configure.zcml‎
Lines changed: 5 additions & 0 deletions b/‎backend/src/collective/techevent/configure.zcml‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎backend/src/collective/techevent/permissions.zcml‎
Lines changed: 11 additions & 0 deletions b/‎backend/src/collective/techevent/permissions.zcml‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎backend/src/collective/techevent/setuphandlers/base.py‎
Lines changed: 7 additions & 0 deletions b/‎backend/src/collective/techevent/setuphandlers/base.py‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎backend/src/collective/techevent/users/__init__.py‎ b/‎backend/src/collective/techevent/users/__init__.py‎
diff --git a/‎backend/src/collective/techevent/users/behaviors.py‎
Lines changed: 62 additions & 0 deletions b/‎backend/src/collective/techevent/users/behaviors.py‎
Lines changed: 62 additions & 0 deletions
diff --git a/‎backend/src/collective/techevent/users/configure.zcml‎
Lines changed: 26 additions & 0 deletions b/‎backend/src/collective/techevent/users/configure.zcml‎
Lines changed: 26 additions & 0 deletions
diff --git a/‎backend/src/collective/techevent/users/content/__init__.py‎
Lines changed: 104 additions & 0 deletions b/‎backend/src/collective/techevent/users/content/__init__.py‎
Lines changed: 104 additions & 0 deletions
@@ -54,7 +54,7 @@ requirements-mxdev.txt: pyproject.toml mx.ini ## Generate constraints file
 $(VENV_FOLDER): requirements-mxdev.txt ## Install dependencies
 	@echo "$(GREEN)==> Install environment$(RESET)"
 	@uv venv $(VENV_FOLDER)
-	@uv pip install -r requirements-mxdev.txt
+	@uv pip install -r requirements-mxdev.txt Products.membrane pyotp
 
 .PHONY: sync
 sync: $(VENV_FOLDER) ## Sync project dependencies
 
@@ -44,6 +44,10 @@ test = [
     "pytest-cov",
     "pytest-plone>=1.0.0a1",
 ]
+users = [
+    "Products.membrane",
+    "pyotp",
+]
 
 [project.urls]
 Homepage = "https://github.com/collective/tech-event"
@@ -184,4 +188,4 @@ branch = true
 parallel = true
 omit = [
   "src/collective/techevent/locales/*.py",
-]
+]
@@ -1,6 +1,7 @@
 <configure
     xmlns="http://namespaces.zope.org/zope"
     xmlns:i18n="http://namespaces.zope.org/i18n"
+    xmlns:zcml="http://namespaces.zope.org/zcml"
     i18n_domain="collective.techevent"
     >
 
@@ -24,6 +25,10 @@
   <include package=".services" />
   <include package=".subscribers" />
   <include package=".vocabularies" />
+  <include
+      package=".users"
+      zcml:condition="installed Products.membrane"
+      />
 
   <!-- -*- extra stuff goes here -*- -->
 
 
@@ -66,6 +66,17 @@
       title="collective.techevent: Add Keynote"
       />
 
+  <!-- Attendees -->
+  <permission
+      id="collective.techevent.AddAttendees"
+      title="collective.techevent: Add Attendees Database"
+      />
+
+  <permission
+      id="collective.techevent.AddAttendee"
+      title="collective.techevent: Add Attendee"
+      />
+
   <!-- -*- extra stuff goes here -*- -->
 
 </configure>
@@ -1,4 +1,5 @@
 from collective.techevent.utils import setup_tech_event
+from collective.techevent.utils import setup_tech_event_users
 from plone import api
 from Products.GenericSetup.tool import SetupTool
 
@@ -7,3 +8,9 @@ def setup_techevent_settings(portal_setup: SetupTool):
     """Setup event settings for Plone Site."""
     portal = api.portal.get()
     setup_tech_event(portal)
+
+
+def setup_techevent_users(portal_setup: SetupTool):
+    """Setup event attendees for Plone Site."""
+    portal = api.portal.get()
+    setup_tech_event_users(portal)
@@ -0,0 +1,62 @@
+from collective.techevent.users.content import IBaseUser
+from collective.techevent.users.utils import verify_totp_code
+from datetime import datetime
+from datetime import timedelta
+from plone import api
+from plone.keyring.interfaces import IKeyManager
+from Products.CMFPlone.utils import safe_encode
+from Products.membrane import interfaces as ifaces
+from zope.component import adapter
+from zope.component import getUtility
+from zope.interface import implementer
+
+import base64
+import pyotp
+
+
+ALLOWED_STATES = [
+    "registered",
+]
+
+
+@adapter(IBaseUser)
+@implementer(ifaces.IMembraneUserAuth)
+class MembraneUserAuthentication:
+    def __init__(self, context):
+        self.user = context
+
+    def verifyCredentials(self, credentials):
+        """Returns True is password is authenticated, False if not."""
+        user = self.user
+
+        # Initialize _v_totp_guess if not present
+        if not hasattr(user, "_v_totp_guess"):
+            user._v_totp_guess = []
+
+        # Check if the last 5 wrong trials are within the last minute
+        now = datetime.now()
+        user._v_totp_guess = [
+            ts for ts in user._v_totp_guess if now - ts < timedelta(seconds=60)
+        ]
+        if len(user._v_totp_guess) >= 5:
+            return False
+
+        manager = getUtility(IKeyManager)
+        seed = base64.b32encode((user.otp_seed + manager.secret()).encode("utf-8"))
+        totp = pyotp.TOTP(seed.decode("utf-8"), interval=30)
+
+        if not verify_totp_code(totp, credentials.get("password", ""), minutes=10):
+            # Add current timestamp to _v_totp_guess for failed trials
+            user._v_totp_guess.append(now)
+            return False
+
+        return True
+
+    def authenticateCredentials(self, credentials):
+        # Should not authenticate when the user is not enabled.
+        user = self.user
+        state = api.content.get_state(user)
+        if state not in ALLOWED_STATES:
+            return
+        if self.verifyCredentials(credentials):
+            return (user.getUserId(), user.getUserName())
@@ -0,0 +1,26 @@
+<configure
+    xmlns="http://namespaces.zope.org/zope"
+    xmlns:browser="http://namespaces.zope.org/browser"
+    xmlns:plone="http://namespaces.plone.org/plone"
+    xmlns:zcml="http://namespaces.zope.org/zcml"
+    i18n_domain="project.title"
+    >
+
+  <include file="profiles.zcml" />
+
+  <adapter factory=".behaviors.MembraneUserAuthentication" />
+
+  <zcml:configure package="Products.CMFPlone.browser.login">
+    <browser:page
+        name="mail_password_template"
+        for="*"
+        class="collective.techevent.users.password_reset.PasswordResetToolView"
+        template="templates/mail_password_template.pt"
+        permission="zope.Public"
+        layer="collective.techevent.interfaces.IBrowserLayer"
+        />
+  </zcml:configure>
+
+  <include package=".content" />
+
+</configure>
@@ -0,0 +1,104 @@
+from collective.techevent import _
+from collective.techevent.users.utils import validate_unique_email
+from plone import api
+from plone.autoform import directives
+from plone.dexterity.content import Container
+from plone.schema import Email
+from plone.supermodel import model
+from Products.membrane.interfaces import IMembraneUserObject
+from z3c.form.interfaces import IEditForm
+from zope import schema
+from zope.interface import implementer
+from zope.interface import Interface
+from zope.interface import Invalid
+from zope.interface import invariant
+
+
+class IBaseUser(Interface):
+    id = schema.ASCIILine(title=_("User ID"), required=True)
+    directives.order_before(id="*")
+
+    title = schema.TextLine(readonly=True)
+    first_name = schema.TextLine(
+        title=_("First Name"),
+        required=True,
+    )
+    last_name = schema.TextLine(
+        title=_("Last Name"),
+        required=True,
+    )
+    email = Email(
+        title=_("E-mail Address"),
+        required=True,
+    )
+    otp_seed = schema.ASCIILine(
+        title=_("OTP Shared Secret"),
+        required=False,
+    )
+    model.fieldset("credentials", label=_("Credentials"), fields=["email", "otp_seed"])
+
+    directives.read_permission(
+        id="zope2.View",
+        email="zope2.View",
+        text="zope2.View",
+        otp_seed="zope2.ManageUsers",
+    )
+    directives.write_permission(
+        id="cmf.ReviewPortalContent",
+        email="cmf.ReviewPortalContent",
+        text="cmf.ModifyPortalContent",
+        otp_seed="zope2.ManageUsers",
+    )
+    directives.omitted("otp_seed")
+    directives.no_omit(IEditForm, "otp_seed")
+
+    @invariant
+    def email_unique(data):
+        """The email must be unique, as it is the login name (user name).
+
+        The tricky thing is to make sure editing a user and keeping
+        his email the same actually works.
+        """
+        user = data.__context__
+        if user is not None:
+            if getattr(user, "email", None) and user.email == data.email:
+                # No change, fine.
+                return
+        error = validate_unique_email(data.email)
+        if error:
+            raise Invalid(error)
+
+    exclude_from_nav = schema.Bool(
+        default=True,
+        required=False,
+    )
+    directives.omitted("exclude_from_nav")
+
+
+@implementer(IBaseUser, IMembraneUserObject)
+class BaseUser(Container):
+    """A Membrane user."""
+
+    @property
+    def title(self):
+        return f"{self.first_name} {self.last_name}"
+
+    @title.setter
+    def title(self, value):
+        # title is not writable
+        pass
+
+    def getUserId(self):
+        return self.id
+
+    def getUserName(self):
+        return self.email
+
+    def get_full_name(self):
+        return self.title
+
+    @property
+    def user(self):
+        user = api.user.get(userid=self.id)
+        if user:
+            return user