Commit 6e014198 authored by Aurel's avatar Aurel

do not join anylonger with roles_and_user table when doing

search/countResults, instead make a first request to get security uid
in pass the result


git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@12959 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent febb03ac
......@@ -45,7 +45,7 @@ from Products.CMFCore.Expression import Expression
from Products.PageTemplates.Expressions import getEngine
from MethodObject import Method
import os, time, urllib
import os, time, urllib, warnings
from zLOG import LOG
SECURITY_USING_NUX_USER_GROUPS, SECURITY_USING_PAS = range(2)
......@@ -425,13 +425,32 @@ class CatalogTool (UniqueObject, ZCatalog, CMFCoreCatalogTool, ActiveObject):
return allowedRolesAndUsers
security.declarePrivate('getSecurityUid')
def getSecurityUid(self, **kw):
"""
Return list of security oid for given roles list
"""
catalog = self.getSQLCatalog()
method = getattr(catalog, catalog.sql_search_security, '')
if method in ('', None):
# XXX old way, should not be used anylonger
warnings.warn("The usage of allowedRolesAndUsers is deprecated.\n"
"Please update your business template erp5_mysql_innodb.",
DeprecationWarning)
kw['allowedRolesAndUsers'] = self.getAllowedRolesAndUsers(**kw)
else:
allowedRolesAndUsers = ["'%s'" % (role, ) for role in self.getAllowedRolesAndUsers(**kw)]
security_uid_list = [x.uid for x in method(security_roles_list = allowedRolesAndUsers)]
kw['security_uid'] = security_uid_list
return kw
# searchResults has inherited security assertions.
def searchResults(self, REQUEST=None, **kw):
"""
Calls ZCatalog.searchResults with extra arguments that
limit the results to what the user is allowed to see.
"""
kw[ 'allowedRolesAndUsers' ] = self.getAllowedRolesAndUsers(**kw) # XXX allowedRolesAndUsers naming is wrong
kw = self.getSecurityUid(**kw)
if not _checkPermission(
CMFCorePermissions.AccessInactivePortalContent, self ):
......@@ -457,11 +476,7 @@ class CatalogTool (UniqueObject, ZCatalog, CMFCoreCatalogTool, ActiveObject):
Calls ZCatalog.countResults with extra arguments that
limit the results to what the user is allowed to see.
"""
kw[ 'allowedRolesAndUsers' ] = self.getAllowedRolesAndUsers(**kw) # XXX allowedRolesAndUsers naming is wrong
# Forget about permissions in statistics
# (we should not count lines more than once with statistic expressions)
if kw.has_key('select_expression'): del kw[ 'allowedRolesAndUsers' ]
kw = self.getSecurityUid(**kw)
# XXX This needs to be set again
#if not _checkPermission(
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment