notification_tool: fix Unauthorized when sending message to person user cannot access
When a user triggers `NotificationTool.sendMessage(recipient=user_id)` to a recipient she does not have access permission on, it now causes this problem (the caller context is a custom script with manager proxy role): ``` Module Products.ERP5.Tool.NotificationTool, line 322, in sendMessage person_value = getUserValueByUserId(person) Module Products.ERP5.Tool.NotificationTool, line 291, in getUserValueByUserId return portal.restrictedTraverse(user['path']) Module OFS.Traversable, line 317, in restrictedTraverse return self.unrestrictedTraverse(path, default, restricted=True) Module OFS.Traversable, line 251, in unrestrictedTraverse - __traceback_info__: (['redacted_person_id'], 'person_module') next = guarded_getattr(obj, name) Unauthorized: You are not allowed to access 'person_module' in this context ``` This is a regression caused by 62d8d3ac . That particular case was working before, because the person was looked up using [catalog]( https://lab.nexedi.com/nexedi/erp5/blob/882f0022c7af4f36c2f31643498ac0b5d82c2217/product/ERP5/Tool/NotificationTool.py#L321-322) so the proxy role from the caller script was taken in to account. Now, we can say that the approach suggested here is not correct and document that the current logged in user must have permission to access the person documents involved as sender or recipient in the notification. Then, if we need to send message to persons the current user does not have access permission, instead of using: ```python portal.portal_notifications.sendMessage(recipient=person.getUserId()) ``` just do: ```python portal.portal_notifications.sendMessage(recipient=person) ``` but the later does not allow for using activities. /cc @vpelletier @gabriel /reviewed-on !395
Showing
Please register or sign in to comment