From 596b00eaf0e6201724afea55675266160e1d1a46 Mon Sep 17 00:00:00 2001
From: Romain Courteaud <romain@nexedi.com>
Date: Mon, 13 Dec 2010 18:22:57 +0000
Subject: [PATCH] Remove unprotected access to slap tool.

git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@41401 20353a03-c40f-0410-a6d1-a30d3c3de9de
---
 product/Vifib/Tool/SlapTool.py | 58 ++++++++++------------------------
 1 file changed, 17 insertions(+), 41 deletions(-)

diff --git a/product/Vifib/Tool/SlapTool.py b/product/Vifib/Tool/SlapTool.py
index 2eaeb3d56b..784f0f54c0 100644
--- a/product/Vifib/Tool/SlapTool.py
+++ b/product/Vifib/Tool/SlapTool.py
@@ -36,7 +36,7 @@ from Products.DCWorkflow.DCWorkflow import ValidationFailed
 from Products.ERP5Security.ERP5UserManager import SUPER_USER
 from Products.ERP5Type.Globals import InitializeClass
 from Products.ERP5Type.Tool.BaseTool import BaseTool
-from Products.ERP5Type.UnrestrictedMethod import UnrestrictedMethod
+from Products.ERP5Type import Permissions
 from lxml import etree
 from slapos.slap.slap import Computer
 from slapos.slap.slap import ComputerPartition as SlapComputerPartition
@@ -56,7 +56,6 @@ def convertToREST(function):
     """
     Log the call, and the result of the call
     """
-    self._loginAsSuperUser()
     try:
       retval = function(self, *args, **kwd)
     except ValueError, log:
@@ -92,7 +91,7 @@ class SlapTool(BaseTool):
   # Public GET methods
   ####################################################
 
-  security.declarePublic('getComputerInformation')
+  security.declareProtected(Permissions.AccessContentsInformation, 'getComputerInformation')
   def getComputerInformation(self, computer_id):
     """Returns marshalled XML of all needed information for computer
 
@@ -102,7 +101,6 @@ class SlapTool(BaseTool):
     """
     computer_document = self._getComputerDocument(computer_id)
     self.REQUEST.response.setHeader('Content-Type', 'text/xml')
-    self._loginAsSuperUser()
 
     slap_computer = Computer(computer_id)
     slap_computer._software_release_list = \
@@ -123,7 +121,7 @@ class SlapTool(BaseTool):
   # Public POST methods
   ####################################################
 
-  security.declarePublic('setComputerPartitionParameterDict')
+  security.declareProtected(Permissions.AccessContentsInformation, 'setComputerPartitionParameterDict')
   def setComputerPartitionConnectionXml(self, computer_id,
                                         computer_partition_id,
                                         connection_xml):
@@ -134,42 +132,42 @@ class SlapTool(BaseTool):
                                                    computer_partition_id,
                                                    connection_xml)
 
-  security.declarePublic('buildingSoftwareRelease')
+  security.declareProtected(Permissions.AccessContentsInformation, 'buildingSoftwareRelease')
   def buildingSoftwareRelease(self, url, computer_id):
     """
     Reports that Software Release is being build
     """
     return self._buildingSoftwareRelease(url, computer_id)
 
-  security.declarePublic('availableSoftwareRelease')
+  security.declareProtected(Permissions.AccessContentsInformation, 'availableSoftwareRelease')
   def availableSoftwareRelease(self, url, computer_id):
     """
     Reports that Software Release is available
     """
     return self._availableSoftwareRelease(url, computer_id)
 
-  security.declarePublic('softwareReleaseError')
+  security.declareProtected(Permissions.AccessContentsInformation, 'softwareReleaseError')
   def softwareReleaseError(self, url, computer_id, error_log):
     """
     Add an error for a software Release workflow
     """
     return self._softwareReleaseError(url, computer_id, error_log)
 
-  security.declarePublic('buildingComputerPartition')
+  security.declareProtected(Permissions.AccessContentsInformation, 'buildingComputerPartition')
   def buildingComputerPartition(self, computer_id, computer_partition_id):
     """
     Reports that Computer Partition is being build
     """
     return self._buildingComputerPartition(computer_id, computer_partition_id)
 
-  security.declarePublic('availableComputerPartition')
+  security.declareProtected(Permissions.AccessContentsInformation, 'availableComputerPartition')
   def availableComputerPartition(self, computer_id, computer_partition_id):
     """
     Reports that Computer Partition is available
     """
     return self._availableComputerPartition(computer_id, computer_partition_id)
 
-  security.declarePublic('softwareInstanceError')
+  security.declareProtected(Permissions.AccessContentsInformation, 'softwareInstanceError')
   def softwareInstanceError(self, computer_id,
                             computer_partition_id, error_log):
     """
@@ -178,28 +176,28 @@ class SlapTool(BaseTool):
     return self._softwareInstanceError(computer_id, computer_partition_id,
                                        error_log)
 
-  security.declarePublic('startedComputerPartition')
+  security.declareProtected(Permissions.AccessContentsInformation, 'startedComputerPartition')
   def startedComputerPartition(self, computer_id, computer_partition_id):
     """
     Reports that Computer Partition is started
     """
     return self._startedComputerPartition(computer_id, computer_partition_id)
 
-  security.declarePublic('stoppedComputerPartition')
+  security.declareProtected(Permissions.AccessContentsInformation, 'stoppedComputerPartition')
   def stoppedComputerPartition(self, computer_id, computer_partition_id):
     """
     Reports that Computer Partition is stopped
     """
     return self._stoppedComputerPartition(computer_id, computer_partition_id)
 
-  security.declarePublic('destroyedComputerPartition')
+  security.declareProtected(Permissions.AccessContentsInformation, 'destroyedComputerPartition')
   def destroyedComputerPartition(self, computer_id, computer_partition_id):
     """
     Reports that Computer Partition is destroyed
     """
     return self._destroyedComputerPartition(computer_id, computer_partition_id)
 
-  security.declarePublic('requestComputerPartition')
+  security.declareProtected(Permissions.AccessContentsInformation, 'requestComputerPartition')
   def requestComputerPartition(self, computer_id, computer_partition_id,
       software_release, software_type, partition_reference, 
       shared_xml, partition_parameter_xml, filter_xml):
@@ -218,7 +216,7 @@ class SlapTool(BaseTool):
         software_release, software_type, partition_reference, 
         shared_xml, partition_parameter_xml, filter_xml)
 
-  security.declarePublic('useComputer')
+  security.declareProtected(Permissions.AccessContentsInformation, 'useComputer')
   def useComputer(self, computer_id, use_string):
     """Entry point to reporting usage of a computer."""
     computer_document = self._getComputerDocument(computer_id)
@@ -227,16 +225,15 @@ class SlapTool(BaseTool):
     self._reportComputerUsage(computer_document, use_string)
     return 'Content properly posted.'
 
-  security.declarePublic('loadComputerConfigurationFromXML')
+  security.declareProtected(Permissions.AccessContentsInformation, 'loadComputerConfigurationFromXML')
   def loadComputerConfigurationFromXML(self, xml):
     "Load the given xml as configuration for the computer object"
-    self._loginAsSuperUser()
     computer_dict = xml_marshaller.xml_marshaller.loads(xml)
     computer = self._getComputerDocument(computer_dict['reference'])
     computer.Computer_updateFromDict(computer_dict)
     return 'Content properly posted.'
 
-  security.declarePublic('useComputerPartition')
+  security.declareProtected(Permissions.AccessContentsInformation, 'useComputerPartition')
   def useComputerPartition(self, computer_id, computer_partition_id, use_string):
     """Warning : deprecated method."""
     computer_document = self._getComputerDocument(computer_id)
@@ -248,7 +245,7 @@ class SlapTool(BaseTool):
     return """Content properly posted.
               WARNING : this method is deprecated. Please use useComputer."""
 
-  security.declarePublic('registerComputerPartition')
+  security.declareProtected(Permissions.AccessContentsInformation, 'registerComputerPartition')
   def registerComputerPartition(self, computer_reference,
                                 computer_partition_reference):
     """
@@ -547,14 +544,6 @@ class SlapTool(BaseTool):
   # Internals methods
   ####################################################
 
-  def _loginAsSuperUser(self):
-    """Inovking python scripts requiers any user, UnrestrictedMethod is not enough"""
-    # XXX-Luke: Workaround of security issues. As soon as security will be
-    # defined there will be no reason to reuse system user.
-    newSecurityManager(None, self.getPortalObject().acl_users.getUserById(
-      SUPER_USER))
-
-  @UnrestrictedMethod
   def _getDocument(self, **kwargs):
     # No need to get all results if an error is raised when at least 2 objects
     # are found
@@ -590,18 +579,14 @@ class SlapTool(BaseTool):
                              reference=computer_partition_reference,
                              grand_parent_uid=computer.getUid())
 
-  @UnrestrictedMethod
   def _getUsageReportServiceDocument(self):
-    self._loginAsSuperUser()
     service_document = self.Base_getUsageReportServiceDocument()
     if service_document is not None:
       return service_document
     raise Unauthorized
 
-  @UnrestrictedMethod
   def _getSoftwareInstanceForComputerPartition(self, computer_id,
       computer_partition_id):
-    self._loginAsSuperUser()
     computer_partition_document = self._getComputerPartitionDocument(
       computer_id, computer_partition_id)
     packing_list_line = self._getSalePackingListLineForComputerPartition(
@@ -618,9 +603,7 @@ class SlapTool(BaseTool):
       else:
         return software_instance
 
-  @UnrestrictedMethod
   def _getSalePackingListLineAsSoftwareInstance(self, sale_packing_list_line):
-    self._loginAsSuperUser()
     merged_dict = sale_packing_list_line.\
       SalePackinListLine_asSoftwareInstnaceComputerPartitionMergedDict()
     if merged_dict is None:
@@ -629,11 +612,9 @@ class SlapTool(BaseTool):
       raise Unauthorized
     return merged_dict
 
-  @UnrestrictedMethod
   def _getSoftwareReleaseValueListForComputer(self, computer_document):
     """Returns list of Software Releases documentsfor computer"""
     portal = self.getPortalObject()
-    self._loginAsSuperUser()
 
     state_list = []
     state_list.extend(portal.getPortalReservedInventoryStateList())
@@ -649,7 +630,6 @@ class SlapTool(BaseTool):
       software_release_list.append(software_release_response)
     return software_release_list
 
-  @UnrestrictedMethod
   def _getSalePackingListLineForComputerPartition(self,
                                                   computer_partition_document):
     """
@@ -659,7 +639,6 @@ class SlapTool(BaseTool):
     portal = self.getPortalObject()
     portal_preferences = portal.portal_preferences
     service_uid_list = []
-    self._loginAsSuperUser()
     for service_relative_url in \
       (portal_preferences.getPreferredInstanceSetupResource(),
        portal_preferences.getPreferredInstanceHostingResource(),
@@ -688,10 +667,8 @@ class SlapTool(BaseTool):
     else:
       return None
 
-  @UnrestrictedMethod
   def _reportComputerUsage(self, computer, usage):
     """Stores usage report of a computer."""
-    self._loginAsSuperUser()
     usage_report_portal_type = 'Usage Report'
     usage_report_module = \
       self.getPortalObject().getDefaultModule(usage_report_portal_type)
@@ -772,7 +749,6 @@ class SlapTool(BaseTool):
         ]
       )
 
-  @UnrestrictedMethod
   def _reportUsage(self, computer_partition, usage):
     """Warning : deprecated method."""
     portal_type = 'Usage Report'
-- 
2.30.9