BusinessTemplate: install as System Processes user.

so that installed objects are owned by System Processes and we can have faster ownership checking for proxy role scripts.

BusinessTemplate: install as System Processes user.
so that installed objects are owned by System Processes and we can have faster ownership checking for proxy role scripts.
11892e1d · Kazuhiko Shiozaki · bcb43861 · 11892e1d · 11892e1d · 11892e1d
Commit 11892e1d authored Oct 26, 2020 by Kazuhiko Shiozaki
3 changed files
--- a/bt5/erp5_core_test/TestTemplateItem/portal_components/test.erp5.testBusinessTemplate.py
+++ b/bt5/erp5_core_test/TestTemplateItem/portal_components/test.erp5.testBusinessTemplate.py
@@ -31,7 +31,6 @@ import unittest
 import logging
 from unittest import expectedFailure, skip

-from AccessControl import getSecurityManager
 from Products.ERP5Type.tests.ERP5TypeTestCase import ERP5TypeTestCase
 from Acquisition import aq_base
 from App.config import getConfiguration
@@ -2335,7 +2334,7 @@ class BusinessTemplateMixin(ERP5TypeTestCase, LogInterceptor):
    # will be reset:
    expected_local_roles = {
      'ac': ['Manager'],
-      getSecurityManager().getUser().getId(): ['Owner'],
+      'System Processes': ['Owner'],
      'group_function': ['Auditor']
    }
    p = self.getPortal()

--- a/bt5/erp5_forge/TestTemplateItem/portal_components/test.erp5.testTemplateTool.py
+++ b/bt5/erp5_forge/TestTemplateItem/portal_components/test.erp5.testTemplateTool.py
@@ -837,6 +837,18 @@ class TestTemplateTool(ERP5TypeTestCase):
    erp5_test = self.portal.portal_skins['erp5_test']
    self.assertTrue(erp5_test.hasObject('test_file'))

+  def test_ownerhsip(self):
+    self.assertEqual(
+      self.portal.portal_skins.erp5_core.getOwnerTuple(),
+      ([self.portal.getId(), 'acl_users'], 'System Processes'),
+    )
+    bt = self.templates_tool.getInstalledBusinessTemplate("erp5_forge")
+    bt.reinstall(force=True)
+    self.commit()
+    self.assertEqual(
+      self.portal.portal_skins.erp5_forge.getOwnerTuple(),
+      ([self.portal.getId(), 'acl_users'], 'System Processes'),
+    )

 def test_suite():
  suite = unittest.TestSuite()

--- a/product/ERP5/Document/BusinessTemplate.py
+++ b/product/ERP5/Document/BusinessTemplate.py
@@ -33,14 +33,18 @@ from Shared.DC.ZRDB import Aqueduct
 from Shared.DC.ZRDB.Connection import Connection as RDBConnection
 from Products.ERP5Type.Globals import Persistent, PersistentMapping
 from Acquisition import Implicit, aq_base, aq_inner, aq_parent
-from AccessControl import ClassSecurityInfo, Unauthorized, getSecurityManager
+from AccessControl import ClassSecurityInfo, Unauthorized
 from AccessControl.SecurityInfo import ModuleSecurityInfo
+from AccessControl.SecurityManagement import getSecurityManager, \
+  newSecurityManager, setSecurityManager
+from AccessControl.User import nobody
 from Products.CMFCore.utils import getToolByName
 from Products.PythonScripts.PythonScript import PythonScript
 from Products.ZSQLMethods.SQL import SQL
 from Products.ERP5Type.Accessor.Constant import PropertyGetter as ConstantGetter
 from Products.ERP5Type.Cache import transactional_cached
 from Products.ERP5Type.Message import translateString
+from Products.ERP5Type.UnrestrictedMethod import super_user
 from Products.ERP5Type.Utils import readLocalDocument, \
                                    writeLocalDocument, \
                                    importLocalDocument, \
@@ -5539,10 +5543,20 @@ Business Template is a set of definitions, such as skins, portal types and categ
      site.portal_caches.clearAllCache()

    security.declareProtected(Permissions.ManagePortal, 'install')
-    install = _install
+    def install(self, *args, **kw):
+      # switch to nobody temporarily so that unrestricted _install
+      # is always invoked by system user.
+      sm = getSecurityManager()
+      newSecurityManager(None, nobody)
+      try:
+        with super_user():
+          return self._install(*args, **kw)
+      finally:
+        # Restore the original user.
+        setSecurityManager(sm)

    security.declareProtected(Permissions.ManagePortal, 'reinstall')
-    reinstall = _install
+    reinstall = install

    security.declareProtected(Permissions.ManagePortal, 'trash')
    def trash(self, new_bt, **kw):