Commit f4e7481f authored by Kazuhiko Shiozaki's avatar Kazuhiko Shiozaki

do not check 'Add portal content' permission if 'Add Permission' is set.

git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@16972 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent 381281eb
No related merge requests found
......@@ -1220,10 +1220,6 @@ class Folder(CopyContainer, CMFBTreeFolder, CMFHBTreeFolder, Base, FolderMixIn,
hidden content types. It allows to be much faster when only the type id
is needed.
"""
if not getSecurityManager().checkPermission(
Permissions.AddPortalContent, self):
return []
portal = self.getPortalObject()
def _getVisibleAllowedContentTypeList():
......@@ -1264,10 +1260,6 @@ class Folder(CopyContainer, CMFBTreeFolder, CMFHBTreeFolder, Base, FolderMixIn,
# permission that "Add portal content". For now, this is only the case for
# Role Definition objects, but this shows that generally speaking, this is
# not the right approach.
if not getSecurityManager().checkPermission(
Permissions.AddPortalContent, self):
return []
def _allowedContentTypes( portal_type=None, user=None, portal_path=None ):
# Sort the list for convenience -yo
# XXX This is not the best solution, because this does not take
......
......@@ -58,7 +58,9 @@ from RoleInformation import ori
from TranslationProviderBase import TranslationProviderBase
from zLOG import LOG
from sys import exc_info
from zLOG import LOG, ERROR
from Products.CMFCore.exceptions import zExceptions_Unauthorized
ERP5TYPE_SECURITY_GROUP_ID_GENERATION_SCRIPT = 'ERP5Type_asSecurityGroupId'
......@@ -205,16 +207,39 @@ class ERP5TypeInformation( FactoryTypeInformation,
#
# Agent methods
#
security.declarePublic('isConstructionAllowed')
def isConstructionAllowed( self, container ):
"""
Does the current user have the permission required in
order to construct an instance?
"""
permission = self.permission
if permission and not _checkPermission( permission, container ):
return 0
return FactoryTypeInformation.isConstructionAllowed(self, container)
def _queryFactoryMethod(self, container, default=None):
if not self.product or not self.factory or container is None:
return default
# In case we aren't wrapped.
dispatcher = getattr(container, 'manage_addProduct', None)
if dispatcher is None:
return default
try:
p = dispatcher[self.product]
except AttributeError:
LOG('Types Tool', ERROR, '_queryFactoryMethod raised an exception',
error=exc_info())
return default
m = getattr(p, self.factory, None)
if m:
try:
# validate() can either raise Unauthorized or return 0 to
# mean unauthorized.
permission = self.permission
if permission and _checkPermission( permission, container ):
return m
elif getSecurityManager().validate(p, p, self.factory, m):
return m
except zExceptions_Unauthorized: # Catch *all* Unauths!
pass
return default
def _getFactoryMethod(self, container, check_security=1):
if not self.product or not self.factory:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment