Commit 756879f3 authored by Rafael Monnerat's avatar Rafael Monnerat

erp5_maileva_connector: Rework security to not require roles

   The way to use the connector should NOT require us to set Roles on portal_web_services objects.

   Documents on portal_web_services contains passwords to third-party software so, that should be not accessible by the user (even with proper roles).

   I set a minimal set of proxy roles and re-work to use path rather them object to not require roles everywhere.
parent c0edd948
portal = context.getPortalObject() portal = context.getPortalObject()
maileva_connector = portal.ERP5Site_getAvailableMailevaSOAPConnector() maileva_connector_path = portal.ERP5Site_getAvailableMailevaSOAPConnector()
maileva_connector = portal.restrictTraverse(maileva_connector_path)
notification_dict = maileva_connector.checkPendingNotifications() notification_dict = maileva_connector.checkPendingNotifications()
......
from zExceptions import Unauthorized
if REQUEST is not None:
raise Unauthorized
maileva_connector = context.portal_catalog.getResultValue( maileva_connector = context.portal_catalog.getResultValue(
portal_type='Maileva SOAP Connector', portal_type='Maileva SOAP Connector',
reference=reference, reference=reference,
validation_state='validated') validation_state='validated')
if not maileva_connector: if not maileva_connector:
raise ValueError('Maileav soap connector is not defined') raise ValueError('Maileav soap connector is not defined')
return maileva_connector return maileva_connector.getRelativeUrl()
...@@ -50,7 +50,15 @@ ...@@ -50,7 +50,15 @@
</item> </item>
<item> <item>
<key> <string>_params</string> </key> <key> <string>_params</string> </key>
<value> <string>reference="maileva_soap_connector"</string> </value> <value> <string>reference="maileva_soap_connector", REQUEST=None</string> </value>
</item>
<item>
<key> <string>_proxy_roles</string> </key>
<value>
<tuple>
<string>Manager</string>
</tuple>
</value>
</item> </item>
<item> <item>
<key> <string>id</string> </key> <key> <string>id</string> </key>
......
maileva_connector = context.getPortalObject().ERP5Site_getAvailableMailevaSOAPConnector() portal = context.getPortalObject()
maileva_connector = portal.restrictedTraverse(portal.ERP5Site_getAvailableMailevaSOAPConnector())
result = maileva_connector.getPendingNotificationDetails(track_id) result = maileva_connector.getPendingNotificationDetails(track_id)
if result['status'] == "SENT": if result['status'] == "SENT":
document = context.getFollowUpValue() document = context.getFollowUpValue()
......
from zExceptions import Unauthorized
if REQUEST is not None:
raise Unauthorized
connector = context.getResourceValue() connector = context.getResourceValue()
connector.submitRequest(context) connector.submitRequest(context)
...@@ -50,7 +50,15 @@ ...@@ -50,7 +50,15 @@
</item> </item>
<item> <item>
<key> <string>_params</string> </key> <key> <string>_params</string> </key>
<value> <string></string> </value> <value> <string>REQUEST=None</string> </value>
</item>
<item>
<key> <string>_proxy_roles</string> </key>
<value>
<tuple>
<string>Manager</string>
</tuple>
</value>
</item> </item>
<item> <item>
<key> <string>id</string> </key> <key> <string>id</string> </key>
......
...@@ -4,7 +4,8 @@ now = DateTime() ...@@ -4,7 +4,8 @@ now = DateTime()
portal = context.getPortalObject() portal = context.getPortalObject()
# Do some check here # Do some check here
maileva_connector = portal.ERP5Site_getAvailableMailevaSOAPConnector() maileva_connector_path = portal.ERP5Site_getAvailableMailevaSOAPConnector()
maileva_connector = portal.restrictedTraverse(maileva_connector_path)
today = now.toZone('UTC').asdatetime().strftime('%Y-%m-%d') today = now.toZone('UTC').asdatetime().strftime('%Y-%m-%d')
number = str(portal.portal_ids.generateNewId( number = str(portal.portal_ids.generateNewId(
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment