Commit 3fbddb7f authored by Kazuhiko Shiozaki's avatar Kazuhiko Shiozaki

permissions guard check should also respect caller's proxy roles like roles guard.

parent 77fa7de1
...@@ -10,13 +10,13 @@ ...@@ -10,13 +10,13 @@
# FOR A PARTICULAR PURPOSE # FOR A PARTICULAR PURPOSE
# #
############################################################################## ##############################################################################
from Products.CMFCore.utils import _checkPermission
from Products.DCWorkflow.Guard import Guard from Products.DCWorkflow.Guard import Guard
from Products.PythonScripts.PythonScript import PythonScript from Products.PythonScripts.PythonScript import PythonScript
from App.special_dtml import DTMLFile from App.special_dtml import DTMLFile
from Products.ERP5Type import _dtmldir from Products.ERP5Type import _dtmldir
from AccessControl import ClassSecurityInfo, getSecurityManager from AccessControl import ClassSecurityInfo, getSecurityManager
from AccessControl.class_init import InitializeClass from AccessControl.class_init import InitializeClass
from AccessControl.PermissionRole import rolesForPermissionOn
from OFS.misc_ import p_ from OFS.misc_ import p_
from App.ImageFile import ImageFile from App.ImageFile import ImageFile
from Acquisition import aq_base, aq_parent from Acquisition import aq_base, aq_parent
...@@ -109,26 +109,31 @@ def checkGuard(guard, ob): ...@@ -109,26 +109,31 @@ def checkGuard(guard, ob):
# returns 1 if guard passes against ob, else 0. # returns 1 if guard passes against ob, else 0.
# TODO : implement TALES evaluation by defining an appropriate # TODO : implement TALES evaluation by defining an appropriate
# context. # context.
sm = None u_roles = None
if guard.permissions: def getRoles():
for p in guard.permissions:
if _checkPermission(p, ob):
break
else:
return 0
if guard.roles:
if sm is None:
sm = getSecurityManager() sm = getSecurityManager()
u = sm.getUser() u = sm.getUser()
def getRoles():
stack = sm._context.stack stack = sm._context.stack
if stack and len(stack) > 1: if stack and len(stack) > 1:
eo = stack[-2] # -1 is the current script. eo = stack[-2] # -1 is the current script.
proxy_roles = getattr(eo, '_proxy_roles', None) proxy_roles = getattr(eo, '_proxy_roles', None)
if proxy_roles: if proxy_roles:
roles = proxy_roles
return proxy_roles return proxy_roles
return u.getRolesInContext(ob) roles = u.getRolesInContext(ob)
return roles
if guard.permissions:
# Require at least one role for required roles for the given permission.
if u_roles is None:
u_roles = getRoles()
for p in guard.permissions:
if set(rolesForPermissionOn(p, ob)).intersection(u_roles):
break
else:
return 0
if guard.roles:
# Require at least one of the given roles. # Require at least one of the given roles.
if u_roles is None:
u_roles = getRoles() u_roles = getRoles()
for role in guard.roles: for role in guard.roles:
if role in u_roles: if role in u_roles:
...@@ -137,7 +142,6 @@ def checkGuard(guard, ob): ...@@ -137,7 +142,6 @@ def checkGuard(guard, ob):
return 0 return 0
if guard.groups: if guard.groups:
# Require at least one of the specified groups. # Require at least one of the specified groups.
if sm is None:
sm = getSecurityManager() sm = getSecurityManager()
u = sm.getUser() u = sm.getUser()
b = aq_base( u ) b = aq_base( u )
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment