Commit f4e7481f authored by Kazuhiko Shiozaki's avatar Kazuhiko Shiozaki

do not check 'Add portal content' permission if 'Add Permission' is set.


git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@16972 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent 381281eb
...@@ -1220,10 +1220,6 @@ class Folder(CopyContainer, CMFBTreeFolder, CMFHBTreeFolder, Base, FolderMixIn, ...@@ -1220,10 +1220,6 @@ class Folder(CopyContainer, CMFBTreeFolder, CMFHBTreeFolder, Base, FolderMixIn,
hidden content types. It allows to be much faster when only the type id hidden content types. It allows to be much faster when only the type id
is needed. is needed.
""" """
if not getSecurityManager().checkPermission(
Permissions.AddPortalContent, self):
return []
portal = self.getPortalObject() portal = self.getPortalObject()
def _getVisibleAllowedContentTypeList(): def _getVisibleAllowedContentTypeList():
...@@ -1264,10 +1260,6 @@ class Folder(CopyContainer, CMFBTreeFolder, CMFHBTreeFolder, Base, FolderMixIn, ...@@ -1264,10 +1260,6 @@ class Folder(CopyContainer, CMFBTreeFolder, CMFHBTreeFolder, Base, FolderMixIn,
# permission that "Add portal content". For now, this is only the case for # permission that "Add portal content". For now, this is only the case for
# Role Definition objects, but this shows that generally speaking, this is # Role Definition objects, but this shows that generally speaking, this is
# not the right approach. # not the right approach.
if not getSecurityManager().checkPermission(
Permissions.AddPortalContent, self):
return []
def _allowedContentTypes( portal_type=None, user=None, portal_path=None ): def _allowedContentTypes( portal_type=None, user=None, portal_path=None ):
# Sort the list for convenience -yo # Sort the list for convenience -yo
# XXX This is not the best solution, because this does not take # XXX This is not the best solution, because this does not take
......
...@@ -58,7 +58,9 @@ from RoleInformation import ori ...@@ -58,7 +58,9 @@ from RoleInformation import ori
from TranslationProviderBase import TranslationProviderBase from TranslationProviderBase import TranslationProviderBase
from zLOG import LOG from sys import exc_info
from zLOG import LOG, ERROR
from Products.CMFCore.exceptions import zExceptions_Unauthorized
ERP5TYPE_SECURITY_GROUP_ID_GENERATION_SCRIPT = 'ERP5Type_asSecurityGroupId' ERP5TYPE_SECURITY_GROUP_ID_GENERATION_SCRIPT = 'ERP5Type_asSecurityGroupId'
...@@ -205,16 +207,39 @@ class ERP5TypeInformation( FactoryTypeInformation, ...@@ -205,16 +207,39 @@ class ERP5TypeInformation( FactoryTypeInformation,
# #
# Agent methods # Agent methods
# #
security.declarePublic('isConstructionAllowed') def _queryFactoryMethod(self, container, default=None):
def isConstructionAllowed( self, container ):
""" if not self.product or not self.factory or container is None:
Does the current user have the permission required in return default
order to construct an instance?
""" # In case we aren't wrapped.
permission = self.permission dispatcher = getattr(container, 'manage_addProduct', None)
if permission and not _checkPermission( permission, container ):
return 0 if dispatcher is None:
return FactoryTypeInformation.isConstructionAllowed(self, container) return default
try:
p = dispatcher[self.product]
except AttributeError:
LOG('Types Tool', ERROR, '_queryFactoryMethod raised an exception',
error=exc_info())
return default
m = getattr(p, self.factory, None)
if m:
try:
# validate() can either raise Unauthorized or return 0 to
# mean unauthorized.
permission = self.permission
if permission and _checkPermission( permission, container ):
return m
elif getSecurityManager().validate(p, p, self.factory, m):
return m
except zExceptions_Unauthorized: # Catch *all* Unauths!
pass
return default
def _getFactoryMethod(self, container, check_security=1): def _getFactoryMethod(self, container, check_security=1):
if not self.product or not self.factory: if not self.product or not self.factory:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment