Commit c0effc15 authored by Yoshinori Okuji's avatar Yoshinori Okuji

Rewrite the code of forcing authorization, so that Unauthorized is raised,...

Rewrite the code of forcing authorization, so that Unauthorized is raised, only if authorization is forced in a given context, and a document can be retrieved in an unrestricted way. Otherwise, a traversal fails for any attribute that does not exist with Unauthorized, and indexing may fail.

git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@21255 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent a2c29757
...@@ -47,6 +47,7 @@ from Products.ERP5Type.ExtensibleTraversable import ExtensibleTraversableMixIn ...@@ -47,6 +47,7 @@ from Products.ERP5Type.ExtensibleTraversable import ExtensibleTraversableMixIn
from Products.ERP5Type.Cache import getReadOnlyTransactionCache from Products.ERP5Type.Cache import getReadOnlyTransactionCache
from Products.ERP5.Document.Url import UrlMixIn from Products.ERP5.Document.Url import UrlMixIn
from Products.ERP5.Tool.ContributionTool import MAX_REPEAT from Products.ERP5.Tool.ContributionTool import MAX_REPEAT
from Products.ERP5Type.UnrestrictedMethod import UnrestrictedMethod
from AccessControl import Unauthorized from AccessControl import Unauthorized
_MARKER = [] _MARKER = []
...@@ -308,17 +309,16 @@ class PermanentURLMixIn(ExtensibleTraversableMixIn): ...@@ -308,17 +309,16 @@ class PermanentURLMixIn(ExtensibleTraversableMixIn):
original_id=document.getId(), original_id=document.getId(),
editable_absolute_url=document.absolute_url())) editable_absolute_url=document.absolute_url()))
return document.__of__(self) return document.__of__(self)
# no document found for current user, still such document may exists # no document found for current user, still such document may exists
# in some cases user (like Anonymous) can not view document according to portal catalog # in some cases user (like Anonymous) can not view document according to portal catalog
# but we may ask him to login if such a document exists # but we may ask him to login if such a document exists
# XXX: make sure document exists isAuthorizationForced = getattr(self, 'isAuthorizationForced', None)
if getattr(self, 'isAuthorizationForced', None) is not None: if isAuthorizationForced is not None and isAuthorizationForced():
if self.isAuthorizationForced(): getDocumentValue = UnrestrictedMethod(self.getDocumentValue)
if getDocumentValue(name=name, portal=portal) is not None:
# force user to login as specified in Web Section # force user to login as specified in Web Section
raise Unauthorized raise Unauthorized
else:
# force user to login unconditionally of context
raise Unauthorized
security.declareProtected(Permissions.View, 'getDocumentValue') security.declareProtected(Permissions.View, 'getDocumentValue')
def getDocumentValue(self, name=None, portal=None, **kw): def getDocumentValue(self, name=None, portal=None, **kw):
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment