Commit 4a4a329f authored by Łukasz Nowak's avatar Łukasz Nowak

Secure certificate management.

Use by default checkUserCanChangePassword, but as in ERP5 users do not have
such persmission to Person document which defines them, check if logged in user
login is same as document reference.
parent e55b5bf8
from AccessControl import ClassSecurityInfo
from AccessControl import ClassSecurityInfo, Unauthorized, getSecurityManager
from Products.ERP5.Document.Person import Person as ERP5Person
class Person(ERP5Person):
security = ClassSecurityInfo()
security.declarePublic('getCertificate')
def _checkReference(self):
if not self.getReference():
raise ValueError('No reference set.')
def _checkCertificateRequest(self):
try:
self.checkUserCanChangePassword()
except Unauthorized:
# in ERP5 user has no SetOwnPassword permission on Person document
# referring himself, so implement "security" by checking that currently
# logged in user is trying to get/revoke his own certificate
reference = self.getReference()
if not reference:
raise
if getSecurityManager().getUser().getId() != reference:
raise
def _getCertificate(self):
return self.getPortalObject().portal_certificate_authority\
......@@ -18,13 +28,11 @@ class Person(ERP5Person):
def getCertificate(self):
"""Returns new SSL certificate"""
self._checkReference()
self.checkUserCanChangePassword()
self._checkCertificateRequest()
return self._getCertificate()
security.declarePublic('revokeCertificate')
def revokeCertificate(self):
"""Revokes existing certificate"""
self._checkReference()
self.checkUserCanChangePassword()
self._checkCertificateRequest()
self._revokeCertificate()
242
\ No newline at end of file
243
\ No newline at end of file
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment