Commit 1597877c authored by Jérome Perrin's avatar Jérome Perrin

authentication is not available in before traverse hooks, so we have to do

manual pseudo security check to allow managers to enter arbitrary URLs.



git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@8716 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent 15949a8f
...@@ -106,12 +106,12 @@ class ReferCheckerBeforeTraverseHook: ...@@ -106,12 +106,12 @@ class ReferCheckerBeforeTraverseHook:
http_url = request.get('ACTUAL_URL', '').strip() http_url = request.get('ACTUAL_URL', '').strip()
http_referer = request.get('HTTP_REFERER', '').strip() http_referer = request.get('HTTP_REFERER', '').strip()
security_manager = AccessControl.getSecurityManager() user_password = request._authUserPW()
user = security_manager.getUser() if user_password:
user_roles = user.getRolesInContext(object) user = container.acl_users.getUserById(user_password[0]) or\
container.aq_parent.acl_users.getUserById(user_password[0])
# Manager can do anything # Manager can do anything
if 'Manager' in user_roles: if user is not None and 'Manager' in user.getRoles():
return return
portal_url = container.portal_url.getPortalObject().absolute_url() portal_url = container.portal_url.getPortalObject().absolute_url()
...@@ -172,7 +172,9 @@ class ERP5Site(FolderMixIn, CMFSite): ...@@ -172,7 +172,9 @@ class ERP5Site(FolderMixIn, CMFSite):
""" """
BeforeTraverse.registerBeforeTraverse(self, BeforeTraverse.registerBeforeTraverse(self,
ReferCheckerBeforeTraverseHook(), ReferCheckerBeforeTraverseHook(),
ReferCheckerBeforeTraverseHook.handle) ReferCheckerBeforeTraverseHook.handle,
# we want to be registered _after_ CookieCrumbler
100)
def _disableRefererCheck(self): def _disableRefererCheck(self):
"""Disable the HTTP_REFERER check.""" """Disable the HTTP_REFERER check."""
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment