Commit 2530615b authored by Łukasz Nowak's avatar Łukasz Nowak

Security fixup.

deleted person shall not be returned.
Non validated Computer and Software Instance shall not be returned.
parent 86e249bf
...@@ -44,6 +44,7 @@ from Products.ERP5Security.ERP5UserManager import SUPER_USER ...@@ -44,6 +44,7 @@ from Products.ERP5Security.ERP5UserManager import SUPER_USER
from ZODB.POSException import ConflictError from ZODB.POSException import ConflictError
from Products.ERP5Security.ERP5GroupManager import ConsistencyError, NO_CACHE_MODE from Products.ERP5Security.ERP5GroupManager import ConsistencyError, NO_CACHE_MODE
from Products.ERP5Type.Cache import CachingMethod from Products.ERP5Type.Cache import CachingMethod
from Products.ZSQLCatalog.SQLCatalog import Query, ComplexQuery
from Products.ERP5Security.ERP5UserManager import getValidAssignmentList from Products.ERP5Security.ERP5UserManager import getValidAssignmentList
# some usefull globals # some usefull globals
...@@ -82,10 +83,19 @@ def getUserByLogin(portal, login): ...@@ -82,10 +83,19 @@ def getUserByLogin(portal, login):
login = login[LOGIN_PREFIX_LENGTH:] login = login[LOGIN_PREFIX_LENGTH:]
else: else:
return [] return []
machine_query = Query(portal_type=["Computer", "Software Instance"],
validation_state="validated",
reference=dict(query=login, key='ExactMatch'))
person_query = Query(portal_type=["Person"],
reference=dict(query=login, key='ExactMatch'))
result = portal.portal_catalog.unrestrictedSearchResults( result = portal.portal_catalog.unrestrictedSearchResults(
portal_type=LOGGABLE_PORTAL_TYPE_LIST, query=ComplexQuery(machine_query, person_query, operator="OR"),
reference=dict(query=login, key='ExactMatch'),
select_expression='reference') select_expression='reference')
result = [x for x in result if \
(x.getPortalType() == 'Person' and x.getValidationState() != 'deleted') or \
(x.getPortalType() in ("Computer", "Software Instance") and \
x.getValidationState() == 'validated')]
# XXX: Here, we filter catalog result list ALTHOUGH we did pass # XXX: Here, we filter catalog result list ALTHOUGH we did pass
# parameters to unrestrictedSearchResults to restrict result set. # parameters to unrestrictedSearchResults to restrict result set.
# This is done because the following values can match person with # This is done because the following values can match person with
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment