Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
erp5
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Paul Graydon
erp5
Commits
80453523
Commit
80453523
authored
May 04, 2016
by
Julien Muchembled
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Base: do not check security for unrestricted category value getters
parent
16bedb73
Changes
5
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
122 additions
and
76 deletions
+122
-76
product/CMFCategory/CategoryTool.py
product/CMFCategory/CategoryTool.py
+20
-16
product/ERP5Type/Accessor/Value.py
product/ERP5Type/Accessor/Value.py
+2
-2
product/ERP5Type/Base.py
product/ERP5Type/Base.py
+90
-39
product/ERP5Type/Core/Predicate.py
product/ERP5Type/Core/Predicate.py
+9
-18
product/ERP5Type/tests/testERP5Type.py
product/ERP5Type/tests/testERP5Type.py
+1
-1
No files found.
product/CMFCategory/CategoryTool.py
View file @
80453523
...
...
@@ -1678,11 +1678,14 @@ class CategoryTool( UniqueObject, Folder, Base ):
display_id
=
'title'
)
security
.
declarePublic
(
'resolveCategory'
)
def
resolveCategory
(
self
,
relative_url
,
default
=
_marker
):
def
resolveCategory
(
self
,
relative_url
):
"""
Finds an object from a relative_url
Method is public since we use restrictedTraverse
"""
return
self
.
_resolveCategory
(
relative_url
,
True
)
def
_resolveCategory
(
self
,
relative_url
,
restricted
=
False
):
if
not
isinstance
(
relative_url
,
str
):
# Handle parent base category is a special way
return
relative_url
...
...
@@ -1759,15 +1762,16 @@ class CategoryTool( UniqueObject, Folder, Base ):
stack
.
reverse
()
__traceback_info__
=
relative_url
if
restricted
:
validate
=
getSecurityManager
().
validate
def
restrictedG
etOb
(
container
):
def
g
etOb
(
container
):
obj
=
container
.
_getOb
(
key
,
None
)
if
obj
is
None
or
validate
(
container
,
container
,
key
,
obj
):
return
obj
# if user can't access object try to return default passed
if
default
is
_marker
:
raise
Unauthorized
(
'unauthorized access to element %s'
%
key
)
return
default
else
:
def
getOb
(
container
):
return
container
.
_getOb
(
key
,
None
)
# XXX Currently, resolveCategory accepts that a category might
# not start with a Base Category, but with a Module. This is
...
...
@@ -1778,32 +1782,32 @@ class CategoryTool( UniqueObject, Folder, Base ):
if
stack
:
portal
=
aq_inner
(
self
.
getPortalObject
())
key
=
stack
.
pop
()
obj
=
restrictedG
etOb
(
self
)
obj
=
g
etOb
(
self
)
if
obj
is
None
:
obj
=
restrictedG
etOb
(
portal
)
obj
=
g
etOb
(
portal
)
if
obj
is
not
None
:
obj
=
obj
.
__of__
(
self
)
else
:
while
stack
:
container
=
obj
key
=
stack
.
pop
()
obj
=
restrictedG
etOb
(
container
)
obj
=
g
etOb
(
container
)
if
obj
is
not
None
:
break
obj
=
restrictedG
etOb
(
self
)
obj
=
g
etOb
(
self
)
if
obj
is
None
:
obj
=
restrictedG
etOb
(
portal
)
obj
=
g
etOb
(
portal
)
if
obj
is
not
None
:
obj
=
obj
.
__of__
(
container
)
break
while
obj
is
not
None
and
stack
:
key
=
stack
.
pop
()
obj
=
restrictedG
etOb
(
obj
)
obj
=
g
etOb
(
obj
)
if
obj
is
None
:
LOG
(
'CMFCategory'
,
WARNING
,
'Could not
access
object %s'
%
relative_url
)
'Could not
get
object %s'
%
relative_url
)
if
cache
is
not
None
:
cache
[
cache_key
]
=
obj
...
...
product/ERP5Type/Accessor/Value.py
View file @
80453523
...
...
@@ -122,7 +122,7 @@ class DefaultGetter(BaseGetter):
LOG
(
"ERP5Type Deprecated Getter Id:"
,
0
,
self
.
_id
)
if
args
:
kw
[
'default'
]
=
args
[
0
]
return
instance
.
_
getDefaultAcquiredValue
(
self
.
_key
,
**
kw
)
return
instance
.
getDefaultAcquiredValue
(
self
.
_key
,
**
kw
)
psyco
.
bind
(
__call__
)
...
...
@@ -153,7 +153,7 @@ class ListGetter(BaseGetter):
LOG
(
"ERP5Type Deprecated Getter Id:"
,
0
,
self
.
_id
)
if
args
:
kw
[
'default'
]
=
args
[
0
]
return
instance
.
_
getAcquiredValueList
(
self
.
_key
,
**
kw
)
return
instance
.
getAcquiredValueList
(
self
.
_key
,
**
kw
)
psyco
.
bind
(
__call__
)
...
...
product/ERP5Type/Base.py
View file @
80453523
...
...
@@ -1002,8 +1002,8 @@ class Base( CopyContainer,
#LOG("Get Acquired Property self",0,str(self))
#LOG("Get Acquired Property portal_type",0,str(portal_type))
#LOG("Get Acquired Property base_category",0,str(base_category))
#super_list = self.
_
getValueList(base_category, portal_type=portal_type) # We only do a single jump
super_list
=
self
.
_
getAcquiredValueList
(
base_category
,
portal_type
=
portal_type
,
#super_list = self.getValueList(base_category, portal_type=portal_type) # We only do a single jump
super_list
=
self
.
getAcquiredValueList
(
base_category
,
portal_type
=
portal_type
,
checked_permission
=
checked_permission
)
# Full acquisition
super_list
=
[
o
for
o
in
super_list
if
o
.
getPhysicalPath
()
!=
self
.
getPhysicalPath
()]
# Make sure we do not create stupid loop here
#LOG("Get Acquired Property super_list",0,str(super_list))
...
...
@@ -1131,11 +1131,11 @@ class Base( CopyContainer,
super_list
.
append
(
acquisition_object
)
except
(
KeyError
,
AttributeError
):
pass
super_list
.
extend
(
self
.
_
getAcquiredValueList
(
super_list
+=
self
.
getAcquiredValueList
(
base_category
,
portal_type
=
portal_type
,
checked_permission
=
checked_permission
))
# Full acquisition
checked_permission
=
checked_permission
,
)
# Full acquisition
super_list
=
[
o
for
o
in
super_list
if
o
.
getPhysicalPath
()
!=
self
.
getPhysicalPath
()]
# Make sure we do not create stupid loop here
if
len
(
super_list
)
>
0
:
value
=
[]
...
...
@@ -1891,60 +1891,111 @@ class Base( CopyContainer,
checked_permission
=
None
)
self
.
reindexObject
()
# Unrestricted category value getters
def
_getDefaultValue
(
self
,
id
,
spec
=
(),
filter
=
None
,
default
=
_MARKER
,
**
kw
):
path
=
self
.
_getDefaultCategoryMembership
(
id
,
base
=
1
,
spec
=
spec
,
filter
=
filter
,
**
kw
)
if
path
:
return
self
.
_getCategoryTool
().
resolveCategory
(
path
)
return
self
.
_getCategoryTool
().
_
resolveCategory
(
path
)
if
default
is
not
_MARKER
:
return
default
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'getDefaultValue'
)
getDefaultValue
=
_getDefaultValue
def
_getValueList
(
self
,
id
,
spec
=
(),
filter
=
None
,
default
=
_MARKER
,
**
kw
):
ref_list
=
[]
for
path
in
self
.
_getCategoryMembershipList
(
id
,
base
=
1
,
spec
=
spec
,
filter
=
filter
,
**
kw
)
:
category
=
self
.
_getCategoryTool
().
resolveCategory
(
path
)
if
category
is
not
None
:
ref_list
.
append
(
category
)
return
ref_list
if
ref_list
or
default
is
_MARKER
else
default
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'getValueList'
)
getValueList
=
_getValueLis
t
ref_list
=
self
.
_getCategoryMembershipList
(
id
,
base
=
1
,
spec
=
spec
,
filter
=
filter
,
**
kw
)
if
ref_list
:
resolveCategory
=
self
.
_getCategoryTool
().
_resolveCategory
value_list
=
[]
for
path
in
ref_list
:
value
=
resolveCategory
(
path
)
if
value
is
not
None
:
value_list
.
append
(
value
)
return
value_list
if
value_list
or
default
is
_MARKER
else
default
return
ref_list
if
default
is
_MARKER
else
defaul
t
def
_getDefaultAcquiredValue
(
self
,
id
,
spec
=
(),
filter
=
None
,
portal_type
=
(),
evaluate
=
1
,
checked_permission
=
None
,
default
=
None
,
**
kw
):
path
=
self
.
_getDefaultAcquiredCategoryMembership
(
id
,
spec
=
spec
,
filter
=
filter
,
portal_type
=
portal_type
,
base
=
1
,
checked_permission
=
checked_permission
,
**
kw
)
path
=
self
.
_getDefaultAcquiredCategoryMembership
(
id
,
spec
=
spec
,
filter
=
filter
,
portal_type
=
portal_type
,
base
=
1
,
checked_permission
=
checked_permission
,
**
kw
)
if
path
:
return
self
.
_getCategoryTool
().
_resolveCategory
(
path
)
if
default
is
not
_MARKER
:
return
default
def
_getAcquiredValueList
(
self
,
id
,
spec
=
(),
filter
=
None
,
default
=
_MARKER
,
**
kw
):
ref_list
=
self
.
_getAcquiredCategoryMembershipList
(
id
,
base
=
1
,
spec
=
spec
,
filter
=
filter
,
**
kw
)
if
ref_list
:
resolveCategory
=
self
.
_getCategoryTool
().
_resolveCategory
value_list
=
[]
for
path
in
ref_list
:
value
=
resolveCategory
(
path
)
if
value
is
not
None
:
value_list
.
append
(
value
)
return
value_list
if
value_list
or
default
is
_MARKER
else
default
return
ref_list
if
default
is
_MARKER
else
default
# Restricted category value getters
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'getDefaultValue'
)
def
getDefaultValue
(
self
,
id
,
spec
=
(),
filter
=
None
,
default
=
_MARKER
,
**
kw
):
path
=
self
.
_getDefaultCategoryMembership
(
id
,
base
=
1
,
spec
=
spec
,
filter
=
filter
,
**
kw
)
if
path
:
return
self
.
_getCategoryTool
().
resolveCategory
(
path
)
if
default
is
not
_MARKER
:
return
default
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'getDefaultAcquiredValue'
)
getDefaultAcquiredValue
=
_getDefaultAcquiredValue
'getValueList'
)
def
getValueList
(
self
,
id
,
spec
=
(),
filter
=
None
,
default
=
_MARKER
,
**
kw
):
ref_list
=
self
.
_getCategoryMembershipList
(
id
,
base
=
1
,
spec
=
spec
,
filter
=
filter
,
**
kw
)
if
ref_list
:
resolveCategory
=
self
.
_getCategoryTool
().
resolveCategory
value_list
=
[]
for
path
in
ref_list
:
value
=
resolveCategory
(
path
)
if
value
is
not
None
:
value_list
.
append
(
value
)
return
value_list
if
value_list
or
default
is
_MARKER
else
default
return
ref_list
if
default
is
_MARKER
else
default
def
_getAcquiredValueList
(
self
,
id
,
spec
=
(),
filter
=
None
,
default
=
_MARKER
,
**
kw
):
ref_list
=
[]
for
path
in
self
.
_getAcquiredCategoryMembershipList
(
id
,
base
=
1
,
spec
=
spec
,
filter
=
filter
,
**
kw
):
category
=
self
.
_getCategoryTool
().
resolveCategory
(
path
)
if
category
is
not
None
:
ref_list
.
append
(
category
)
return
ref_list
if
ref_list
or
default
is
_MARKER
else
default
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'getDefaultAcquiredValue'
)
def
getDefaultAcquiredValue
(
self
,
id
,
spec
=
(),
filter
=
None
,
portal_type
=
(),
evaluate
=
1
,
checked_permission
=
None
,
default
=
None
,
**
kw
):
path
=
self
.
_getDefaultAcquiredCategoryMembership
(
id
,
spec
=
spec
,
filter
=
filter
,
portal_type
=
portal_type
,
base
=
1
,
checked_permission
=
checked_permission
,
**
kw
)
if
path
:
return
self
.
_getCategoryTool
().
resolveCategory
(
path
)
if
default
is
not
_MARKER
:
return
default
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'getAcquiredValueList'
)
getAcquiredValueList
=
_getAcquiredValueList
def
getAcquiredValueList
(
self
,
id
,
spec
=
(),
filter
=
None
,
default
=
_MARKER
,
**
kw
):
ref_list
=
self
.
_getAcquiredCategoryMembershipList
(
id
,
base
=
1
,
spec
=
spec
,
filter
=
filter
,
**
kw
)
if
ref_list
:
resolveCategory
=
self
.
_getCategoryTool
().
resolveCategory
value_list
=
[]
for
path
in
ref_list
:
value
=
resolveCategory
(
path
)
if
value
is
not
None
:
value_list
.
append
(
value
)
return
value_list
if
value_list
or
default
is
_MARKER
else
default
return
ref_list
if
default
is
_MARKER
else
default
###
def
_getDefaultRelatedValue
(
self
,
id
,
spec
=
(),
filter
=
None
,
portal_type
=
(),
strict_membership
=
0
,
strict
=
"deprecated"
,
...
...
product/ERP5Type/Core/Predicate.py
View file @
80453523
...
...
@@ -33,8 +33,6 @@ from warnings import warn
from
AccessControl
import
ClassSecurityInfo
from
Acquisition
import
aq_base
,
aq_inner
from
Products.CMFCore.utils
import
getToolByName
from
Products.ERP5Type
import
Permissions
,
PropertySheet
,
interfaces
from
Products.ERP5Type.Accessor.Constant
import
PropertyGetter
as
ConstantGetter
from
Products.ERP5Type.Document
import
newTempBase
...
...
@@ -44,7 +42,6 @@ from Products.ERP5Type.Cache import readOnlyTransactionCache
from
Products.ERP5Type.TransactionalVariable
import
getTransactionalVariable
from
Products.ZSQLCatalog.SQLCatalog
import
SQLQuery
from
Products.ERP5Type.Globals
import
PersistentMapping
from
Products.ERP5Type.UnrestrictedMethod
import
UnrestrictedMethod
from
Products.ERP5Type.UnrestrictedMethod
import
unrestricted_apply
from
Products.CMFCore.Expression
import
Expression
...
...
@@ -199,13 +196,6 @@ class Predicate(XMLObject):
result
=
expression
(
createExpressionContext
(
context
))
return
result
@
UnrestrictedMethod
def
_unrestrictedResolveCategory
(
self
,
*
args
):
# Categories used on predicate can be not available to user query, which
# shall be applied with predicate.
portal_categories
=
getToolByName
(
self
,
'portal_categories'
)
return
portal_categories
.
resolveCategory
(
*
args
)
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'buildSQLQuery'
)
def
buildSQLQuery
(
self
,
strict_membership
=
0
,
table
=
'category'
,
...
...
@@ -248,7 +238,8 @@ class Predicate(XMLObject):
f
=
(
i
,)
if
i
in
f
else
()
catalog_kw
[
p
]
=
list
(
f
)
portal_catalog
=
getToolByName
(
self
,
'portal_catalog'
)
portal
=
self
.
getPortalObject
()
resolveCategory
=
portal
.
portal_categories
.
_resolveCategory
from_table_dict
=
{}
...
...
@@ -260,7 +251,7 @@ class Predicate(XMLObject):
for
category
in
self
.
getMembershipCriterionCategoryList
():
base_category
=
category
.
split
(
'/'
)[
0
]
# Retrieve base category
if
membership_dict
.
has_key
(
base_category
):
category_value
=
self
.
_unrestrictedResolveCategory
(
category
,
None
)
category_value
=
resolveCategory
(
category
)
if
category_value
is
not
None
:
table_alias
=
"single_%s_%s"
%
(
table
,
base_category
)
from_table_dict
[
table_alias
]
=
'category'
...
...
@@ -282,7 +273,7 @@ class Predicate(XMLObject):
for
category
in
self
.
getMembershipCriterionCategoryList
():
base_category
=
category
.
split
(
'/'
)[
0
]
# Retrieve base category
if
multimembership_dict
.
has_key
(
base_category
):
category_value
=
self
.
_unrestrictedR
esolveCategory
(
category
)
category_value
=
r
esolveCategory
(
category
)
if
category_value
is
not
None
:
join_count
+=
1
table_alias
=
"multi_%s_%s"
%
(
table
,
join_count
)
...
...
@@ -317,7 +308,7 @@ class Predicate(XMLObject):
catalog_kw
[
'where_expression'
]
=
SQLQuery
(
sql_text
)
# force implicit join
catalog_kw
[
'implicit_join'
]
=
True
sql_query
=
portal_catalog
.
buildSQLQuery
(
**
catalog_kw
)
sql_query
=
portal
.
portal
_catalog
.
buildSQLQuery
(
**
catalog_kw
)
# XXX from_table_list is None most of the time after the explicit_join work
for
alias
,
table
in
sql_query
[
'from_table_list'
]:
if
from_table_dict
.
has_key
(
alias
):
...
...
@@ -359,15 +350,15 @@ class Predicate(XMLObject):
def
searchResults
(
self
,
**
kw
):
"""
"""
portal_catalog
=
getToolByName
(
self
,
'portal_catalog'
)
return
portal_catalog
.
searchResults
(
build_sql_query_method
=
self
.
buildSQLQuery
,
**
kw
)
return
self
.
getPortalObject
().
portal_catalog
.
searchResults
(
build_sql_query_method
=
self
.
buildSQLQuery
,
**
kw
)
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'countResults'
)
def
countResults
(
self
,
REQUEST
=
None
,
used
=
None
,
**
kw
):
"""
"""
portal_catalog
=
getToolByName
(
self
,
'portal_catalog'
)
return
portal_catalog
.
countResults
(
build_sql_query_method
=
self
.
buildSQLQuery
,
**
kw
)
return
self
.
getPortalObject
().
portal_catalog
.
countResults
(
build_sql_query_method
=
self
.
buildSQLQuery
,
**
kw
)
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'getCriterionList'
)
def
getCriterionList
(
self
,
**
kw
):
...
...
product/ERP5Type/tests/testERP5Type.py
View file @
80453523
...
...
@@ -2347,7 +2347,7 @@ class TestERP5Type(PropertySheetTestCase, LogInterceptor):
self
.
_ignore_log_errors
()
logged_errors
=
[
logrecord
for
logrecord
in
self
.
logged
if
logrecord
.
name
==
'CMFCategory'
]
self
.
assertEqual
(
'Could not
access
object region/gamma'
,
self
.
assertEqual
(
'Could not
get
object region/gamma'
,
logged_errors
[
0
].
getMessage
())
def
test_list_accessors
(
self
):
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment