Commit 61361067 authored by Jérome Perrin's avatar Jérome Perrin

advanced_ecommerce: remove problematic script

This script:
 - redirects with password in URL, which causes password to be in log
files and web analytics software
 - uses "immediate reindex"
 - uses manage_setLocalRoles instead of proper roles definitions (so
roles are lost when roles are regenerated and other problems)

A more proper way seem to use credential request
parent bca53113
Pipeline #9996 failed with stage
in 0 seconds
from AccessControl.SecurityManagement import getSecurityManager, \
setSecurityManager, newSecurityManager
from Products.ERP5Security import SUPER_USER
def immediateReindex(self):
self.immediateReindexObject()
def executeMethodAsSuperUser(self, method,**kw):
sm = getSecurityManager()
try:
newSecurityManager(self.REQUEST, self.getPortalObject().acl_users.getUser(SUPER_USER))
method = getattr(self, method)
return method(**kw)
finally:
#Restore orinal user
setSecurityManager(sm)
<?xml version="1.0"?>
<ZopeData>
<record id="1" aka="AAAAAAAAAAE=">
<pickle>
<global name="Extension Component" module="erp5.portal_type"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>_recorded_property_dict</string> </key>
<value>
<persistent> <string encoding="base64">AAAAAAAAAAI=</string> </persistent>
</value>
</item>
<item>
<key> <string>default_reference</string> </key>
<value> <string>AdvancedECommercePreference</string> </value>
</item>
<item>
<key> <string>description</string> </key>
<value>
<none/>
</value>
</item>
<item>
<key> <string>id</string> </key>
<value> <string>extension.erp5.AdvancedECommercePreference</string> </value>
</item>
<item>
<key> <string>portal_type</string> </key>
<value> <string>Extension Component</string> </value>
</item>
<item>
<key> <string>sid</string> </key>
<value>
<none/>
</value>
</item>
<item>
<key> <string>text_content_error_message</string> </key>
<value>
<tuple/>
</value>
</item>
<item>
<key> <string>text_content_warning_message</string> </key>
<value>
<tuple/>
</value>
</item>
<item>
<key> <string>version</string> </key>
<value> <string>erp5</string> </value>
</item>
<item>
<key> <string>workflow_history</string> </key>
<value>
<persistent> <string encoding="base64">AAAAAAAAAAM=</string> </persistent>
</value>
</item>
</dictionary>
</pickle>
</record>
<record id="2" aka="AAAAAAAAAAI=">
<pickle>
<global name="PersistentMapping" module="Persistence.mapping"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>data</string> </key>
<value>
<dictionary/>
</value>
</item>
</dictionary>
</pickle>
</record>
<record id="3" aka="AAAAAAAAAAM=">
<pickle>
<global name="PersistentMapping" module="Persistence.mapping"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>data</string> </key>
<value>
<dictionary>
<item>
<key> <string>component_validation_workflow</string> </key>
<value>
<persistent> <string encoding="base64">AAAAAAAAAAQ=</string> </persistent>
</value>
</item>
</dictionary>
</value>
</item>
</dictionary>
</pickle>
</record>
<record id="4" aka="AAAAAAAAAAQ=">
<pickle>
<global name="WorkflowHistoryList" module="Products.ERP5Type.Workflow"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>_log</string> </key>
<value>
<list>
<dictionary>
<item>
<key> <string>action</string> </key>
<value> <string>validate</string> </value>
</item>
<item>
<key> <string>validation_state</string> </key>
<value> <string>validated</string> </value>
</item>
</dictionary>
</list>
</value>
</item>
</dictionary>
</pickle>
</record>
</ZopeData>
portal = context.getPortalObject()
translateString = context.Base_translateString
website = context.getWebSiteValue()
# Call Base_edit
result, result_type = context.Base_edit(form_id, silent_mode=1, field_prefix='your_')
# Return if not appropriate
if result_type != 'edit':
return result
kw, _ = result
# Set default values
person_group = None
person_function = None
person_site = None
person_role = 'client'
reference = kw.pop('reference')
password = kw.pop('password')
kw.pop('password_confirm', None)
# Check that user doesn't already exists
person_list = [x for x in portal.acl_users.searchUsers(login=reference, exact_match=True) if 'path' in x]
if person_list:
msg = translateString("This account already exists. Please provide another email address.")
kw['portal_status_message'] = msg
context.REQUEST.form.update(kw)
return getattr(website, form_id)()
# create Person account
person_module = portal.getDefaultModule(portal_type='Person')
person = person_module.newContent(portal_type='Person')
user_id = person.Person_getUserId()
# Create default career
person.newContent(portal_type='Career',
id='default_career',
group=person_group,
function=person_function,
role=person_role)
# Create assignment
assignment = person.newContent(portal_type='Assignment',
group=person_group,
function=person_function,
role=person_role, # Required for security based on role
site=person_site)
login = person.newContent(portal_type='ERP5 Login',
reference=reference,
password=password)
login.validate()
assignment.open()
person.validate()
person.manage_setLocalRoles(user_id, ['Auditor'])
person.WebSite_immediateReindex()
login.WebSite_immediateReindex()
person.WebSite_executeMethodAsSuperUser('edit', **kw)
is_shopping_cart = context.REQUEST.get('is_shopping_cart')
if is_shopping_cart is None:
is_shopping_cart = context.REQUEST.get('field_your_is_shopping_cart')
if is_shopping_cart:
msg = translateString("Your account was successfully created, now you can proceed to payment.")
else:
msg = translateString("Your account was successfully created.")
# Set owner local role for cart if needed
shopping_cart = context.SaleOrder_getShoppingCart()
if shopping_cart is not None:
shopping_cart.manage_setLocalRoles(user_id, ['Owner'])
"""
response = context.REQUEST.RESPONSE
response.setHeader("__ac_name", reference)
response.setHeader("__ac_password", password)
"""
came_from = kw.pop('came_from', None)
if came_from:
from ZTUtils import make_query
parameter_string = make_query(__ac_name=reference, __ac_password=password,
portal_status_message=msg, editable_mode=0)
return context.REQUEST.RESPONSE.redirect('%s?%s' % (came_from, parameter_string))
return website.Base_redirect('/', keep_items=dict(portal_status_message=msg,
__ac_name=reference, # XXX - Make it generic
__ac_password=password, # XXX - Make it generic
editable_mode=0))
<?xml version="1.0"?>
<ZopeData>
<record id="1" aka="AAAAAAAAAAE=">
<pickle>
<global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>Script_magic</string> </key>
<value> <int>3</int> </value>
</item>
<item>
<key> <string>_bind_names</string> </key>
<value>
<object>
<klass>
<global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
</klass>
<tuple/>
<state>
<dictionary>
<item>
<key> <string>_asgns</string> </key>
<value>
<dictionary>
<item>
<key> <string>name_container</string> </key>
<value> <string>container</string> </value>
</item>
<item>
<key> <string>name_context</string> </key>
<value> <string>context</string> </value>
</item>
<item>
<key> <string>name_m_self</string> </key>
<value> <string>script</string> </value>
</item>
<item>
<key> <string>name_subpath</string> </key>
<value> <string>traverse_subpath</string> </value>
</item>
</dictionary>
</value>
</item>
</dictionary>
</state>
</object>
</value>
</item>
<item>
<key> <string>_params</string> </key>
<value> <string>form_id</string> </value>
</item>
<item>
<key> <string>_proxy_roles</string> </key>
<value>
<tuple>
<string>Manager</string>
<string>Owner</string>
</tuple>
</value>
</item>
<item>
<key> <string>id</string> </key>
<value> <string>WebSite_createWebSiteAccount</string> </value>
</item>
<item>
<key> <string>title</string> </key>
<value> <string>Create Web Site User Account (MERGE THIS)</string> </value>
</item>
</dictionary>
</pickle>
</record>
</ZopeData>
<?xml version="1.0"?>
<ZopeData>
<record id="1" aka="AAAAAAAAAAE=">
<pickle>
<global name="ExternalMethod" module="Products.ExternalMethod.ExternalMethod"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>_function</string> </key>
<value> <string>executeMethodAsSuperUser</string> </value>
</item>
<item>
<key> <string>_module</string> </key>
<value> <string>AdvancedECommercePreference</string> </value>
</item>
<item>
<key> <string>id</string> </key>
<value> <string>WebSite_executeMethodAsSuperUser</string> </value>
</item>
<item>
<key> <string>title</string> </key>
<value> <string></string> </value>
</item>
</dictionary>
</pickle>
</record>
</ZopeData>
<?xml version="1.0"?>
<ZopeData>
<record id="1" aka="AAAAAAAAAAE=">
<pickle>
<global name="ExternalMethod" module="Products.ExternalMethod.ExternalMethod"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>_function</string> </key>
<value> <string>immediateReindex</string> </value>
</item>
<item>
<key> <string>_module</string> </key>
<value> <string>AdvancedECommercePreference</string> </value>
</item>
<item>
<key> <string>id</string> </key>
<value> <string>WebSite_immediateReindex</string> </value>
</item>
<item>
<key> <string>title</string> </key>
<value> <string></string> </value>
</item>
</dictionary>
</pickle>
</record>
</ZopeData>
extension.erp5.AdvancedECommercePreference
\ No newline at end of file
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment