From 8bbf0b5ab352b7319edc08e07f78da426bb9fb23 Mon Sep 17 00:00:00 2001
From: Yoshinori Okuji <yo@nexedi.com>
Date: Thu, 5 Jun 2008 17:24:30 +0000
Subject: [PATCH] Change the handling of Anonymous User.

git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@21362 20353a03-c40f-0410-a6d1-a30d3c3de9de
---
 product/ERP5Type/UnrestrictedMethod.py | 32 +++++++++++++++-----------
 1 file changed, 19 insertions(+), 13 deletions(-)

diff --git a/product/ERP5Type/UnrestrictedMethod.py b/product/ERP5Type/UnrestrictedMethod.py
index 641eac039e..c0f3192153 100644
--- a/product/ERP5Type/UnrestrictedMethod.py
+++ b/product/ERP5Type/UnrestrictedMethod.py
@@ -27,9 +27,13 @@
 ##############################################################################
 
 from AccessControl.User import UnrestrictedUser
-from Products.ERP5Security.ERP5UserManager import SUPER_USER
+from AccessControl.SpecialUsers import system
 from AccessControl.SecurityManagement import getSecurityManager, \
         newSecurityManager, setSecurityManager
+try:
+  from Zope2 import app
+except ImportError:
+  from Zope import app
 
 class PrivilegedUser(UnrestrictedUser):
   """User that bypasses all security checks, but retains an original
@@ -68,23 +72,25 @@ class UnrestrictedMethod(object):
   def __call__(self, *args, **kw):
     security_manager = getSecurityManager()
     user = security_manager.getUser()
-    isAnonymousUser =  user.getUserName()=='Anonymous User'
-    if user.getId() is None and not isAnonymousUser:
+    anonymous = (user.getUserName() == 'Anonymous User')
+    if user.getId() is None and not anonymous:
       # This is a special user, thus the user is not allowed to own objects.
       super_user = UnrestrictedUser(user.getUserName(), None,
                                     user.getRoles(), user.getDomains())
-    elif isAnonymousUser:
-      # switch to ERP5 SUPER_USER
-      # XXX: hard-coded username and roles (this is bad but no way we could 
-      # currently get context (i.e. switch to roles of owner of portal)
-      # another possibility is to pass username, roles from outside in constructor
-      super_user = UnrestrictedUser(SUPER_USER, None,
-                                    ('Manager', 'Assignor' ), ('',))
     else:
-      uf = user.aq_inner.aq_parent
-      # XXX is it better to get roles from the parent (i.e. portal)?
+      try:
+        # XXX is it better to get roles from the parent (i.e. portal)?
+        uf = user.aq_inner.aq_parent
+      except AttributeError:
+        uf = app().acl_users
       role_list = uf.valid_roles()
-      super_user = PrivilegedUser(user.getId(), None,
+      if anonymous:
+        # If the user is anonymous, use the id of the system user,
+        # so that it would not be treated as an unauthorized user.
+        user_id = str(system)
+      else:
+        user_id = user.getId()
+      super_user = PrivilegedUser(user_id, None,
                                   role_list, user.getDomains()).__of__(uf)
     newSecurityManager(None, super_user)
     try:
-- 
2.30.9