From 2ab66283cd0dc1fea001cd93098db70ae1df81e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C5=81ukasz=20Nowak?= <luke@nexedi.com> Date: Mon, 22 Oct 2012 15:41:26 +0200 Subject: [PATCH] Security fix: check Assignment in case of Person. --- master/product/Vifib/VifibMachineAuthenticationPlugin.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/master/product/Vifib/VifibMachineAuthenticationPlugin.py b/master/product/Vifib/VifibMachineAuthenticationPlugin.py index ee4e1223f..f7358a099 100644 --- a/master/product/Vifib/VifibMachineAuthenticationPlugin.py +++ b/master/product/Vifib/VifibMachineAuthenticationPlugin.py @@ -48,6 +48,7 @@ from Products.ERP5Type.ERP5Type \ import ERP5TYPE_SECURITY_GROUP_ID_GENERATION_SCRIPT from Products.ERP5Type.Cache import CachingMethod from Products.ZSQLCatalog.SQLCatalog import Query, ComplexQuery +from Products.ERP5Security.ERP5UserManager import getValidAssignmentList #Form for new plugin in ZMI manage_addVifibMachineAuthenticationPluginForm = PageTemplateFile( @@ -148,6 +149,10 @@ class VifibMachineAuthenticationPlugin(BasePlugin): user_list = self.getUserByLogin(login) if len(user_list) != 1: return None + user = user_list[0] + if user.getPortalType() == 'Person': + if len(getValidAssignmentList(user)) == 0: + return None return (login, login) def getUserByLogin(self, login): -- 2.30.9