Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
erp5_fork
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Eteri
erp5_fork
Commits
80453523
Commit
80453523
authored
May 04, 2016
by
Julien Muchembled
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Base: do not check security for unrestricted category value getters
parent
16bedb73
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
122 additions
and
76 deletions
+122
-76
product/CMFCategory/CategoryTool.py
product/CMFCategory/CategoryTool.py
+20
-16
product/ERP5Type/Accessor/Value.py
product/ERP5Type/Accessor/Value.py
+2
-2
product/ERP5Type/Base.py
product/ERP5Type/Base.py
+90
-39
product/ERP5Type/Core/Predicate.py
product/ERP5Type/Core/Predicate.py
+9
-18
product/ERP5Type/tests/testERP5Type.py
product/ERP5Type/tests/testERP5Type.py
+1
-1
No files found.
product/CMFCategory/CategoryTool.py
View file @
80453523
...
...
@@ -1678,11 +1678,14 @@ class CategoryTool( UniqueObject, Folder, Base ):
display_id
=
'title'
)
security
.
declarePublic
(
'resolveCategory'
)
def
resolveCategory
(
self
,
relative_url
,
default
=
_marker
):
def
resolveCategory
(
self
,
relative_url
):
"""
Finds an object from a relative_url
Method is public since we use restrictedTraverse
"""
return
self
.
_resolveCategory
(
relative_url
,
True
)
def
_resolveCategory
(
self
,
relative_url
,
restricted
=
False
):
if
not
isinstance
(
relative_url
,
str
):
# Handle parent base category is a special way
return
relative_url
...
...
@@ -1759,15 +1762,16 @@ class CategoryTool( UniqueObject, Folder, Base ):
stack
.
reverse
()
__traceback_info__
=
relative_url
validate
=
getSecurityManager
().
validate
def
restrictedGetOb
(
container
):
obj
=
container
.
_getOb
(
key
,
None
)
if
obj
is
None
or
validate
(
container
,
container
,
key
,
obj
):
return
obj
# if user can't access object try to return default passed
if
default
is
_marker
:
if
restricted
:
validate
=
getSecurityManager
().
validate
def
getOb
(
container
):
obj
=
container
.
_getOb
(
key
,
None
)
if
obj
is
None
or
validate
(
container
,
container
,
key
,
obj
):
return
obj
raise
Unauthorized
(
'unauthorized access to element %s'
%
key
)
return
default
else
:
def
getOb
(
container
):
return
container
.
_getOb
(
key
,
None
)
# XXX Currently, resolveCategory accepts that a category might
# not start with a Base Category, but with a Module. This is
...
...
@@ -1778,32 +1782,32 @@ class CategoryTool( UniqueObject, Folder, Base ):
if
stack
:
portal
=
aq_inner
(
self
.
getPortalObject
())
key
=
stack
.
pop
()
obj
=
restrictedG
etOb
(
self
)
obj
=
g
etOb
(
self
)
if
obj
is
None
:
obj
=
restrictedG
etOb
(
portal
)
obj
=
g
etOb
(
portal
)
if
obj
is
not
None
:
obj
=
obj
.
__of__
(
self
)
else
:
while
stack
:
container
=
obj
key
=
stack
.
pop
()
obj
=
restrictedG
etOb
(
container
)
obj
=
g
etOb
(
container
)
if
obj
is
not
None
:
break
obj
=
restrictedG
etOb
(
self
)
obj
=
g
etOb
(
self
)
if
obj
is
None
:
obj
=
restrictedG
etOb
(
portal
)
obj
=
g
etOb
(
portal
)
if
obj
is
not
None
:
obj
=
obj
.
__of__
(
container
)
break
while
obj
is
not
None
and
stack
:
key
=
stack
.
pop
()
obj
=
restrictedG
etOb
(
obj
)
obj
=
g
etOb
(
obj
)
if
obj
is
None
:
LOG
(
'CMFCategory'
,
WARNING
,
'Could not
access
object %s'
%
relative_url
)
'Could not
get
object %s'
%
relative_url
)
if
cache
is
not
None
:
cache
[
cache_key
]
=
obj
...
...
product/ERP5Type/Accessor/Value.py
View file @
80453523
...
...
@@ -122,7 +122,7 @@ class DefaultGetter(BaseGetter):
LOG
(
"ERP5Type Deprecated Getter Id:"
,
0
,
self
.
_id
)
if
args
:
kw
[
'default'
]
=
args
[
0
]
return
instance
.
_
getDefaultAcquiredValue
(
self
.
_key
,
**
kw
)
return
instance
.
getDefaultAcquiredValue
(
self
.
_key
,
**
kw
)
psyco
.
bind
(
__call__
)
...
...
@@ -153,7 +153,7 @@ class ListGetter(BaseGetter):
LOG
(
"ERP5Type Deprecated Getter Id:"
,
0
,
self
.
_id
)
if
args
:
kw
[
'default'
]
=
args
[
0
]
return
instance
.
_
getAcquiredValueList
(
self
.
_key
,
**
kw
)
return
instance
.
getAcquiredValueList
(
self
.
_key
,
**
kw
)
psyco
.
bind
(
__call__
)
...
...
product/ERP5Type/Base.py
View file @
80453523
...
...
@@ -1002,8 +1002,8 @@ class Base( CopyContainer,
#LOG("Get Acquired Property self",0,str(self))
#LOG("Get Acquired Property portal_type",0,str(portal_type))
#LOG("Get Acquired Property base_category",0,str(base_category))
#super_list = self.
_
getValueList(base_category, portal_type=portal_type) # We only do a single jump
super_list
=
self
.
_
getAcquiredValueList
(
base_category
,
portal_type
=
portal_type
,
#super_list = self.getValueList(base_category, portal_type=portal_type) # We only do a single jump
super_list
=
self
.
getAcquiredValueList
(
base_category
,
portal_type
=
portal_type
,
checked_permission
=
checked_permission
)
# Full acquisition
super_list
=
[
o
for
o
in
super_list
if
o
.
getPhysicalPath
()
!=
self
.
getPhysicalPath
()]
# Make sure we do not create stupid loop here
#LOG("Get Acquired Property super_list",0,str(super_list))
...
...
@@ -1131,11 +1131,11 @@ class Base( CopyContainer,
super_list
.
append
(
acquisition_object
)
except
(
KeyError
,
AttributeError
):
pass
super_list
.
extend
(
self
.
_
getAcquiredValueList
(
base_category
,
portal_type
=
portal_type
,
checked_permission
=
checked_permission
))
# Full acquisition
super_list
+=
self
.
getAcquiredValueList
(
base_category
,
portal_type
=
portal_type
,
checked_permission
=
checked_permission
,
)
# Full acquisition
super_list
=
[
o
for
o
in
super_list
if
o
.
getPhysicalPath
()
!=
self
.
getPhysicalPath
()]
# Make sure we do not create stupid loop here
if
len
(
super_list
)
>
0
:
value
=
[]
...
...
@@ -1891,60 +1891,111 @@ class Base( CopyContainer,
checked_permission
=
None
)
self
.
reindexObject
()
# Unrestricted category value getters
def
_getDefaultValue
(
self
,
id
,
spec
=
(),
filter
=
None
,
default
=
_MARKER
,
**
kw
):
path
=
self
.
_getDefaultCategoryMembership
(
id
,
base
=
1
,
spec
=
spec
,
filter
=
filter
,
**
kw
)
if
path
:
return
self
.
_getCategoryTool
().
resolveCategory
(
path
)
return
self
.
_getCategoryTool
().
_
resolveCategory
(
path
)
if
default
is
not
_MARKER
:
return
default
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'getDefaultValue'
)
getDefaultValue
=
_getDefaultValue
def
_getValueList
(
self
,
id
,
spec
=
(),
filter
=
None
,
default
=
_MARKER
,
**
kw
):
ref_list
=
[]
for
path
in
self
.
_getCategoryMembershipList
(
id
,
base
=
1
,
spec
=
spec
,
filter
=
filter
,
**
kw
)
:
category
=
self
.
_getCategoryTool
().
resolveCategory
(
path
)
if
category
is
not
None
:
ref_list
.
append
(
category
)
return
ref_list
if
ref_list
or
default
is
_MARKER
else
default
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'getValueList'
)
getValueList
=
_getValueLis
t
ref_list
=
self
.
_getCategoryMembershipList
(
id
,
base
=
1
,
spec
=
spec
,
filter
=
filter
,
**
kw
)
if
ref_list
:
resolveCategory
=
self
.
_getCategoryTool
().
_resolveCategory
value_list
=
[]
for
path
in
ref_list
:
value
=
resolveCategory
(
path
)
if
value
is
not
None
:
value_list
.
append
(
value
)
return
value_list
if
value_list
or
default
is
_MARKER
else
default
return
ref_list
if
default
is
_MARKER
else
defaul
t
def
_getDefaultAcquiredValue
(
self
,
id
,
spec
=
(),
filter
=
None
,
portal_type
=
(),
evaluate
=
1
,
checked_permission
=
None
,
default
=
None
,
**
kw
):
path
=
self
.
_getDefaultAcquiredCategoryMembership
(
id
,
spec
=
spec
,
filter
=
filter
,
portal_type
=
portal_type
,
base
=
1
,
checked_permission
=
checked_permission
,
**
kw
)
path
=
self
.
_getDefaultAcquiredCategoryMembership
(
id
,
spec
=
spec
,
filter
=
filter
,
portal_type
=
portal_type
,
base
=
1
,
checked_permission
=
checked_permission
,
**
kw
)
if
path
:
return
self
.
_getCategoryTool
().
_resolveCategory
(
path
)
if
default
is
not
_MARKER
:
return
default
def
_getAcquiredValueList
(
self
,
id
,
spec
=
(),
filter
=
None
,
default
=
_MARKER
,
**
kw
):
ref_list
=
self
.
_getAcquiredCategoryMembershipList
(
id
,
base
=
1
,
spec
=
spec
,
filter
=
filter
,
**
kw
)
if
ref_list
:
resolveCategory
=
self
.
_getCategoryTool
().
_resolveCategory
value_list
=
[]
for
path
in
ref_list
:
value
=
resolveCategory
(
path
)
if
value
is
not
None
:
value_list
.
append
(
value
)
return
value_list
if
value_list
or
default
is
_MARKER
else
default
return
ref_list
if
default
is
_MARKER
else
default
# Restricted category value getters
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'getDefaultValue'
)
def
getDefaultValue
(
self
,
id
,
spec
=
(),
filter
=
None
,
default
=
_MARKER
,
**
kw
):
path
=
self
.
_getDefaultCategoryMembership
(
id
,
base
=
1
,
spec
=
spec
,
filter
=
filter
,
**
kw
)
if
path
:
return
self
.
_getCategoryTool
().
resolveCategory
(
path
)
if
default
is
not
_MARKER
:
return
default
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'getDefaultAcquiredValue'
)
getDefaultAcquiredValue
=
_getDefaultAcquiredValue
'getValueList'
)
def
getValueList
(
self
,
id
,
spec
=
(),
filter
=
None
,
default
=
_MARKER
,
**
kw
):
ref_list
=
self
.
_getCategoryMembershipList
(
id
,
base
=
1
,
spec
=
spec
,
filter
=
filter
,
**
kw
)
if
ref_list
:
resolveCategory
=
self
.
_getCategoryTool
().
resolveCategory
value_list
=
[]
for
path
in
ref_list
:
value
=
resolveCategory
(
path
)
if
value
is
not
None
:
value_list
.
append
(
value
)
return
value_list
if
value_list
or
default
is
_MARKER
else
default
return
ref_list
if
default
is
_MARKER
else
default
def
_getAcquiredValueList
(
self
,
id
,
spec
=
(),
filter
=
None
,
default
=
_MARKER
,
**
kw
):
ref_list
=
[]
for
path
in
self
.
_getAcquiredCategoryMembershipList
(
id
,
base
=
1
,
spec
=
spec
,
filter
=
filter
,
**
kw
):
category
=
self
.
_getCategoryTool
().
resolveCategory
(
path
)
if
category
is
not
None
:
ref_list
.
append
(
category
)
return
ref_list
if
ref_list
or
default
is
_MARKER
else
default
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'getDefaultAcquiredValue'
)
def
getDefaultAcquiredValue
(
self
,
id
,
spec
=
(),
filter
=
None
,
portal_type
=
(),
evaluate
=
1
,
checked_permission
=
None
,
default
=
None
,
**
kw
):
path
=
self
.
_getDefaultAcquiredCategoryMembership
(
id
,
spec
=
spec
,
filter
=
filter
,
portal_type
=
portal_type
,
base
=
1
,
checked_permission
=
checked_permission
,
**
kw
)
if
path
:
return
self
.
_getCategoryTool
().
resolveCategory
(
path
)
if
default
is
not
_MARKER
:
return
default
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'getAcquiredValueList'
)
getAcquiredValueList
=
_getAcquiredValueList
def
getAcquiredValueList
(
self
,
id
,
spec
=
(),
filter
=
None
,
default
=
_MARKER
,
**
kw
):
ref_list
=
self
.
_getAcquiredCategoryMembershipList
(
id
,
base
=
1
,
spec
=
spec
,
filter
=
filter
,
**
kw
)
if
ref_list
:
resolveCategory
=
self
.
_getCategoryTool
().
resolveCategory
value_list
=
[]
for
path
in
ref_list
:
value
=
resolveCategory
(
path
)
if
value
is
not
None
:
value_list
.
append
(
value
)
return
value_list
if
value_list
or
default
is
_MARKER
else
default
return
ref_list
if
default
is
_MARKER
else
default
###
def
_getDefaultRelatedValue
(
self
,
id
,
spec
=
(),
filter
=
None
,
portal_type
=
(),
strict_membership
=
0
,
strict
=
"deprecated"
,
...
...
product/ERP5Type/Core/Predicate.py
View file @
80453523
...
...
@@ -33,8 +33,6 @@ from warnings import warn
from
AccessControl
import
ClassSecurityInfo
from
Acquisition
import
aq_base
,
aq_inner
from
Products.CMFCore.utils
import
getToolByName
from
Products.ERP5Type
import
Permissions
,
PropertySheet
,
interfaces
from
Products.ERP5Type.Accessor.Constant
import
PropertyGetter
as
ConstantGetter
from
Products.ERP5Type.Document
import
newTempBase
...
...
@@ -44,7 +42,6 @@ from Products.ERP5Type.Cache import readOnlyTransactionCache
from
Products.ERP5Type.TransactionalVariable
import
getTransactionalVariable
from
Products.ZSQLCatalog.SQLCatalog
import
SQLQuery
from
Products.ERP5Type.Globals
import
PersistentMapping
from
Products.ERP5Type.UnrestrictedMethod
import
UnrestrictedMethod
from
Products.ERP5Type.UnrestrictedMethod
import
unrestricted_apply
from
Products.CMFCore.Expression
import
Expression
...
...
@@ -199,13 +196,6 @@ class Predicate(XMLObject):
result
=
expression
(
createExpressionContext
(
context
))
return
result
@
UnrestrictedMethod
def
_unrestrictedResolveCategory
(
self
,
*
args
):
# Categories used on predicate can be not available to user query, which
# shall be applied with predicate.
portal_categories
=
getToolByName
(
self
,
'portal_categories'
)
return
portal_categories
.
resolveCategory
(
*
args
)
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'buildSQLQuery'
)
def
buildSQLQuery
(
self
,
strict_membership
=
0
,
table
=
'category'
,
...
...
@@ -248,7 +238,8 @@ class Predicate(XMLObject):
f
=
(
i
,)
if
i
in
f
else
()
catalog_kw
[
p
]
=
list
(
f
)
portal_catalog
=
getToolByName
(
self
,
'portal_catalog'
)
portal
=
self
.
getPortalObject
()
resolveCategory
=
portal
.
portal_categories
.
_resolveCategory
from_table_dict
=
{}
...
...
@@ -260,7 +251,7 @@ class Predicate(XMLObject):
for
category
in
self
.
getMembershipCriterionCategoryList
():
base_category
=
category
.
split
(
'/'
)[
0
]
# Retrieve base category
if
membership_dict
.
has_key
(
base_category
):
category_value
=
self
.
_unrestrictedResolveCategory
(
category
,
None
)
category_value
=
resolveCategory
(
category
)
if
category_value
is
not
None
:
table_alias
=
"single_%s_%s"
%
(
table
,
base_category
)
from_table_dict
[
table_alias
]
=
'category'
...
...
@@ -282,7 +273,7 @@ class Predicate(XMLObject):
for
category
in
self
.
getMembershipCriterionCategoryList
():
base_category
=
category
.
split
(
'/'
)[
0
]
# Retrieve base category
if
multimembership_dict
.
has_key
(
base_category
):
category_value
=
self
.
_unrestrictedR
esolveCategory
(
category
)
category_value
=
r
esolveCategory
(
category
)
if
category_value
is
not
None
:
join_count
+=
1
table_alias
=
"multi_%s_%s"
%
(
table
,
join_count
)
...
...
@@ -317,7 +308,7 @@ class Predicate(XMLObject):
catalog_kw
[
'where_expression'
]
=
SQLQuery
(
sql_text
)
# force implicit join
catalog_kw
[
'implicit_join'
]
=
True
sql_query
=
portal_catalog
.
buildSQLQuery
(
**
catalog_kw
)
sql_query
=
portal
.
portal
_catalog
.
buildSQLQuery
(
**
catalog_kw
)
# XXX from_table_list is None most of the time after the explicit_join work
for
alias
,
table
in
sql_query
[
'from_table_list'
]:
if
from_table_dict
.
has_key
(
alias
):
...
...
@@ -359,15 +350,15 @@ class Predicate(XMLObject):
def
searchResults
(
self
,
**
kw
):
"""
"""
portal_catalog
=
getToolByName
(
self
,
'portal_catalog'
)
return
portal_catalog
.
searchResults
(
build_sql_query_method
=
self
.
buildSQLQuery
,
**
kw
)
return
self
.
getPortalObject
().
portal_catalog
.
searchResults
(
build_sql_query_method
=
self
.
buildSQLQuery
,
**
kw
)
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'countResults'
)
def
countResults
(
self
,
REQUEST
=
None
,
used
=
None
,
**
kw
):
"""
"""
portal_catalog
=
getToolByName
(
self
,
'portal_catalog'
)
return
portal_catalog
.
countResults
(
build_sql_query_method
=
self
.
buildSQLQuery
,
**
kw
)
return
self
.
getPortalObject
().
portal_catalog
.
countResults
(
build_sql_query_method
=
self
.
buildSQLQuery
,
**
kw
)
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'getCriterionList'
)
def
getCriterionList
(
self
,
**
kw
):
...
...
product/ERP5Type/tests/testERP5Type.py
View file @
80453523
...
...
@@ -2347,7 +2347,7 @@ class TestERP5Type(PropertySheetTestCase, LogInterceptor):
self
.
_ignore_log_errors
()
logged_errors
=
[
logrecord
for
logrecord
in
self
.
logged
if
logrecord
.
name
==
'CMFCategory'
]
self
.
assertEqual
(
'Could not
access
object region/gamma'
,
self
.
assertEqual
(
'Could not
get
object region/gamma'
,
logged_errors
[
0
].
getMessage
())
def
test_list_accessors
(
self
):
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment