Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
erp5
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Léo-Paul Géneau
erp5
Commits
726549e1
Commit
726549e1
authored
May 03, 2019
by
Romain Courteaud
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
[erp5_hal_json_style] Check permission before accessing any document
parent
18e2f507
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
221 additions
and
41 deletions
+221
-41
bt5/erp5_hal_json_style/SkinTemplateItem/portal_skins/erp5_hal_json_style/ERP5Document_getHateoas.py
...rtal_skins/erp5_hal_json_style/ERP5Document_getHateoas.py
+36
-40
bt5/erp5_hal_json_style/TestTemplateItem/portal_components/test.erp5.testHalRestrictedJsonStyle.py
...portal_components/test.erp5.testHalRestrictedJsonStyle.py
+60
-0
bt5/erp5_hal_json_style/TestTemplateItem/portal_components/test.erp5.testHalRestrictedJsonStyle.xml
...ortal_components/test.erp5.testHalRestrictedJsonStyle.xml
+123
-0
bt5/erp5_hal_json_style/bt/template_test_id_list
bt5/erp5_hal_json_style/bt/template_test_id_list
+2
-1
No files found.
bt5/erp5_hal_json_style/SkinTemplateItem/portal_skins/erp5_hal_json_style/ERP5Document_getHateoas.py
View file @
726549e1
...
...
@@ -1134,14 +1134,41 @@ def calculateHateoas(is_portal=None, is_site_root=None, traversed_document=None,
relative_url
=
None
,
restricted
=
None
,
list_method
=
None
,
default_param_json
=
None
,
form_relative_url
=
None
,
extra_param_json
=
None
):
if
(
restricted
==
1
)
and
(
portal
.
portal_membership
.
isAnonymousUser
()):
login_relative_url
=
site_root
.
getLayoutProperty
(
"configuration_login"
,
default
=
""
)
if
(
login_relative_url
):
response
.
setHeader
(
'WWW-Authenticate'
,
'X-Delegate uri="%s"'
%
(
url_template_dict
[
"login_template"
]
%
{
"root_url"
:
site_root
.
absolute_url
(),
"login"
:
login_relative_url
})
)
response
.
setStatus
(
401
)
return
""
if
(
view
is
not
None
):
view
=
str
(
view
)
if
relative_url
:
try
:
traversed_document
=
site_root
.
restrictedTraverse
(
str
(
relative_url
))
if
(
view
is
not
None
):
view
=
str
(
view
)
is_site_root
=
False
except
:
raise
NotImplementedError
(
relative_url
)
is_site_root
=
False
if
traversed_document
is
None
:
traversed_document
=
site_root
.
restrictedTraverse
(
relative_url
,
None
)
if
(
traversed_document
is
None
):
response
.
setStatus
(
404
)
return
""
elif
traversed_document
is
None
:
traversed_document
=
context
# Check if traversed_document is the site_root
if
is_site_root
is
None
:
is_site_root
=
(
traversed_document
.
getPath
()
==
site_root
.
getPath
())
if
is_portal
is
None
:
is_portal
=
(
traversed_document
.
getPath
()
==
portal
.
getPath
())
if
mime_type
!=
traversed_document
.
Base_handleAcceptHeader
([
mime_type
]):
response
.
setStatus
(
406
)
return
""
# extra_param_json holds parameters for search interpreted by getHateoas itself
# not by the list_method neither url_columns - only getHateoas
...
...
@@ -1189,24 +1216,7 @@ def calculateHateoas(is_portal=None, is_site_root=None, traversed_document=None,
'status'
:
statusLevelToString
(
portal_status_level
)
}
if
(
restricted
==
1
)
and
(
portal
.
portal_membership
.
isAnonymousUser
()):
login_relative_url
=
site_root
.
getLayoutProperty
(
"configuration_login"
,
default
=
""
)
if
(
login_relative_url
):
response
.
setHeader
(
'WWW-Authenticate'
,
'X-Delegate uri="%s"'
%
(
url_template_dict
[
"login_template"
]
%
{
"root_url"
:
site_root
.
absolute_url
(),
"login"
:
login_relative_url
})
)
response
.
setStatus
(
401
)
return
""
elif
mime_type
!=
traversed_document
.
Base_handleAcceptHeader
([
mime_type
]):
response
.
setStatus
(
406
)
return
""
elif
(
mode
==
'root'
)
or
(
mode
==
'traverse'
):
if
(
mode
==
'root'
)
or
(
mode
==
'traverse'
):
##
# Render ERP Document with a `view` specified
# `view` contains view's name and we extract view's URL (we suppose form ${object_url}/Form_view)
...
...
@@ -2108,22 +2118,8 @@ else:
context.Base_prepareCorsResponse(RESPONSE=response)
# Check if traversed_document is the site_root
if relative_url:
temp_traversed_document = site_root.restrictedTraverse(relative_url, None)
if (temp_traversed_document is None):
response.setStatus(404)
return ""
else:
temp_traversed_document = context
temp_is_site_root = (temp_traversed_document.getPath() == site_root.getPath())
temp_is_portal = (temp_traversed_document.getPath() == portal.getPath())
response.setHeader('
Content
-
Type
', mime_type)
hateoas = calculateHateoas(is_portal=temp_is_portal, is_site_root=temp_is_site_root,
traversed_document=temp_traversed_document,
relative_url=relative_url,
hateoas = calculateHateoas(relative_url=relative_url,
REQUEST=REQUEST, response=response, view=view, mode=mode,
query=query, select_list=select_list, limit=limit, form=form,
restricted=restricted, list_method=list_method,
...
...
bt5/erp5_hal_json_style/TestTemplateItem/portal_components/test.erp5.testHalRestrictedJsonStyle.py
0 → 100644
View file @
726549e1
from
erp5.component.test.testHalJsonStyle
import
ERP5HALJSONStyleSkinsMixin
,
simulate
,
changeSkin
,
do_fake_request
class
TestHalRestricted
(
ERP5HALJSONStyleSkinsMixin
):
@
simulate
(
'Base_getRequestUrl'
,
'*args, **kwargs'
,
'return "http://example.org/bar"'
)
@
simulate
(
'Base_getRequestHeader'
,
'*args, **kwargs'
,
'return "application/hal+json"'
)
@
changeSkin
(
'HalRestricted'
)
def
test_mode_root
(
self
):
fake_request
=
do_fake_request
(
"GET"
)
self
.
logout
()
result
=
self
.
portal
.
web_site_module
.
hateoas
.
ERP5Document_getHateoas
(
REQUEST
=
fake_request
)
self
.
assertEquals
(
fake_request
.
RESPONSE
.
status
,
401
)
self
.
assertEquals
(
fake_request
.
RESPONSE
.
getHeader
(
'WWW-Authenticate'
),
'X-Delegate uri="%s/connection/login_form{?came_from}"'
%
self
.
portal
.
web_site_module
.
hateoas
.
absolute_url
()
)
@
simulate
(
'Base_getRequestUrl'
,
'*args, **kwargs'
,
'return "http://example.org/bar"'
)
@
simulate
(
'Base_getRequestHeader'
,
'*args, **kwargs'
,
'return "application/hal+json"'
)
@
changeSkin
(
'HalRestricted'
)
def
test_mode_traverse
(
self
):
document_relative_url
=
self
.
_makeDocument
().
getRelativeUrl
()
fake_request
=
do_fake_request
(
"GET"
)
self
.
logout
()
result
=
self
.
portal
.
web_site_module
.
hateoas
.
ERP5Document_getHateoas
(
REQUEST
=
fake_request
,
mode
=
"traverse"
,
relative_url
=
document_relative_url
)
self
.
assertEquals
(
fake_request
.
RESPONSE
.
status
,
401
)
self
.
assertEquals
(
fake_request
.
RESPONSE
.
getHeader
(
'WWW-Authenticate'
),
'X-Delegate uri="%s/connection/login_form{?came_from}"'
%
self
.
portal
.
web_site_module
.
hateoas
.
absolute_url
()
)
@
simulate
(
'Base_getRequestUrl'
,
'*args, **kwargs'
,
'return "http://example.org/bar"'
)
@
simulate
(
'Base_getRequestHeader'
,
'*args, **kwargs'
,
'return "application/hal+json"'
)
@
changeSkin
(
'HalRestricted'
)
def
test_mode_search
(
self
):
fake_request
=
do_fake_request
(
"GET"
)
self
.
logout
()
result
=
self
.
portal
.
web_site_module
.
hateoas
.
ERP5Document_getHateoas
(
REQUEST
=
fake_request
,
mode
=
"search"
)
self
.
assertEquals
(
fake_request
.
RESPONSE
.
status
,
401
)
self
.
assertEquals
(
fake_request
.
RESPONSE
.
getHeader
(
'WWW-Authenticate'
),
'X-Delegate uri="%s/connection/login_form{?came_from}"'
%
self
.
portal
.
web_site_module
.
hateoas
.
absolute_url
()
)
@
simulate
(
'Base_getRequestUrl'
,
'*args, **kwargs'
,
'return "http://example.org/bar"'
)
@
simulate
(
'Base_getRequestHeader'
,
'*args, **kwargs'
,
'return "application/hal+json"'
)
@
changeSkin
(
'HalRestricted'
)
def
test_mode_worklist
(
self
):
fake_request
=
do_fake_request
(
"GET"
)
self
.
logout
()
result
=
self
.
portal
.
web_site_module
.
hateoas
.
ERP5Document_getHateoas
(
REQUEST
=
fake_request
,
mode
=
"worklist"
)
self
.
assertEquals
(
fake_request
.
RESPONSE
.
status
,
401
)
self
.
assertEquals
(
fake_request
.
RESPONSE
.
getHeader
(
'WWW-Authenticate'
),
'X-Delegate uri="%s/connection/login_form{?came_from}"'
%
self
.
portal
.
web_site_module
.
hateoas
.
absolute_url
()
)
bt5/erp5_hal_json_style/TestTemplateItem/portal_components/test.erp5.testHalRestrictedJsonStyle.xml
0 → 100644
View file @
726549e1
<?xml version="1.0"?>
<ZopeData>
<record
id=
"1"
aka=
"AAAAAAAAAAE="
>
<pickle>
<global
name=
"Test Component"
module=
"erp5.portal_type"
/>
</pickle>
<pickle>
<dictionary>
<item>
<key>
<string>
_recorded_property_dict
</string>
</key>
<value>
<persistent>
<string
encoding=
"base64"
>
AAAAAAAAAAI=
</string>
</persistent>
</value>
</item>
<item>
<key>
<string>
default_reference
</string>
</key>
<value>
<string>
testHalRestrictedJsonStyle
</string>
</value>
</item>
<item>
<key>
<string>
description
</string>
</key>
<value>
<none/>
</value>
</item>
<item>
<key>
<string>
id
</string>
</key>
<value>
<string>
test.erp5.testHalRestrictedJsonStyle
</string>
</value>
</item>
<item>
<key>
<string>
portal_type
</string>
</key>
<value>
<string>
Test Component
</string>
</value>
</item>
<item>
<key>
<string>
sid
</string>
</key>
<value>
<none/>
</value>
</item>
<item>
<key>
<string>
text_content_error_message
</string>
</key>
<value>
<tuple/>
</value>
</item>
<item>
<key>
<string>
text_content_warning_message
</string>
</key>
<value>
<tuple/>
</value>
</item>
<item>
<key>
<string>
version
</string>
</key>
<value>
<string>
erp5
</string>
</value>
</item>
<item>
<key>
<string>
workflow_history
</string>
</key>
<value>
<persistent>
<string
encoding=
"base64"
>
AAAAAAAAAAM=
</string>
</persistent>
</value>
</item>
</dictionary>
</pickle>
</record>
<record
id=
"2"
aka=
"AAAAAAAAAAI="
>
<pickle>
<global
name=
"PersistentMapping"
module=
"Persistence.mapping"
/>
</pickle>
<pickle>
<dictionary>
<item>
<key>
<string>
data
</string>
</key>
<value>
<dictionary/>
</value>
</item>
</dictionary>
</pickle>
</record>
<record
id=
"3"
aka=
"AAAAAAAAAAM="
>
<pickle>
<global
name=
"PersistentMapping"
module=
"Persistence.mapping"
/>
</pickle>
<pickle>
<dictionary>
<item>
<key>
<string>
data
</string>
</key>
<value>
<dictionary>
<item>
<key>
<string>
component_validation_workflow
</string>
</key>
<value>
<persistent>
<string
encoding=
"base64"
>
AAAAAAAAAAQ=
</string>
</persistent>
</value>
</item>
</dictionary>
</value>
</item>
</dictionary>
</pickle>
</record>
<record
id=
"4"
aka=
"AAAAAAAAAAQ="
>
<pickle>
<global
name=
"WorkflowHistoryList"
module=
"Products.ERP5Type.patches.WorkflowTool"
/>
</pickle>
<pickle>
<tuple>
<none/>
<list>
<dictionary>
<item>
<key>
<string>
action
</string>
</key>
<value>
<string>
validate
</string>
</value>
</item>
<item>
<key>
<string>
validation_state
</string>
</key>
<value>
<string>
validated
</string>
</value>
</item>
</dictionary>
</list>
</tuple>
</pickle>
</record>
</ZopeData>
bt5/erp5_hal_json_style/bt/template_test_id_list
View file @
726549e1
test.erp5.testHalJsonStyle
\ No newline at end of file
test.erp5.testHalJsonStyle
test.erp5.testHalRestrictedJsonStyle
\ No newline at end of file
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment