Commit 67988359 authored by Vincent Pelletier's avatar Vincent Pelletier

mixin.erp5.BaseExtensibleTraversableMixin: Do not call PAS with a fake request

As already documented in this code, unrestrictedTraverse provides a flat dict
as "request" argument. PAS plugins cannot work with such fake request, so
such _extractUserIds call will not succeed in authenticating the user, and instead
produces (suppressed) exceptions within PAS.
As a result, neither codepaths can be followed:
- PAS cannot find any user, hence "if len(user_list) > 0:" is false
- the "else" codepath starts with "request._auth", which obviously raises when
  request is a dict
So, reorder the code so that the nature of the request is checked before
either codepath is entered, skipping the bulk of this code and avoiding calling
into PAS.
parent 99e4a6c7
...@@ -90,13 +90,19 @@ class BaseExtensibleTraversableMixin(ExtensibleTraversableMixin): ...@@ -90,13 +90,19 @@ class BaseExtensibleTraversableMixin(ExtensibleTraversableMixin):
else: else:
has_published = True has_published = True
try: try:
auth = request._auth
except AttributeError:
# This kind of error happens with unrestrictedTraverse,
# because the request object is a fake, and it is just
# a dict object.
user = None
else:
name = None name = None
acl_users = self.getPortalObject().acl_users acl_users = self.getPortalObject().acl_users
user_list = acl_users._extractUserIds(request, acl_users.plugins) user_list = acl_users._extractUserIds(request, acl_users.plugins)
if len(user_list) > 0: if len(user_list) > 0:
name = user_list[0][0] name = user_list[0][0]
else: else:
auth = request._auth
# this logic is copied from identify() in # this logic is copied from identify() in
# AccessControl.User.BasicUserFolder. # AccessControl.User.BasicUserFolder.
if auth and auth.lower().startswith('basic '): if auth and auth.lower().startswith('basic '):
...@@ -105,11 +111,6 @@ class BaseExtensibleTraversableMixin(ExtensibleTraversableMixin): ...@@ -105,11 +111,6 @@ class BaseExtensibleTraversableMixin(ExtensibleTraversableMixin):
user = portal_membership._huntUser(name, self) user = portal_membership._huntUser(name, self)
else: else:
user = None user = None
except AttributeError:
# This kind of error happens with unrestrictedTraverse,
# because the request object is a fake, and it is just
# a dict object.
user = None
if not has_published: if not has_published:
try: try:
del request.other['PUBLISHED'] del request.other['PUBLISHED']
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment