Skip to content

erp5
erp5
Commit 3fbddb7f authored by Kazuhiko Shiozaki's avatar Kazuhiko Shiozaki
Browse files
Options

permissions guard check should also respect caller's proxy roles like roles guard.

parent 77fa7de1
Show whitespace changes
Inline Side-by-side
Showing with 24 additions and 20 deletions
product/ERP5Type/patches/PythonScript.py
View file @ 3fbddb7f
...@@ -10,13 +10,13 @@ ...@@ -10,13 +10,13 @@
# FOR A PARTICULAR PURPOSE # FOR A PARTICULAR PURPOSE
# #
############################################################################## ##############################################################################
from Products.CMFCore.utils import _checkPermission
from Products.DCWorkflow.Guard import Guard from Products.DCWorkflow.Guard import Guard
from Products.PythonScripts.PythonScript import PythonScript from Products.PythonScripts.PythonScript import PythonScript
from App.special_dtml import DTMLFile from App.special_dtml import DTMLFile
from Products.ERP5Type import _dtmldir from Products.ERP5Type import _dtmldir
from AccessControl import ClassSecurityInfo, getSecurityManager from AccessControl import ClassSecurityInfo, getSecurityManager
from AccessControl.class_init import InitializeClass from AccessControl.class_init import InitializeClass
from AccessControl.PermissionRole import rolesForPermissionOn
from OFS.misc_ import p_ from OFS.misc_ import p_
from App.ImageFile import ImageFile from App.ImageFile import ImageFile
from Acquisition import aq_base, aq_parent from Acquisition import aq_base, aq_parent
...@@ -109,26 +109,31 @@ def checkGuard(guard, ob): ...@@ -109,26 +109,31 @@ def checkGuard(guard, ob):
# returns 1 if guard passes against ob, else 0. # returns 1 if guard passes against ob, else 0.
# TODO : implement TALES evaluation by defining an appropriate # TODO : implement TALES evaluation by defining an appropriate
# context. # context.
sm = None u_roles = None
if guard.permissions: def getRoles():
for p in guard.permissions:
if _checkPermission(p, ob):
break
else:
return 0
if guard.roles:
if sm is None:
sm = getSecurityManager() sm = getSecurityManager()
u = sm.getUser() u = sm.getUser()
def getRoles():
stack = sm._context.stack stack = sm._context.stack
if stack and len(stack) > 1: if stack and len(stack) > 1:
eo = stack[-2] # -1 is the current script. eo = stack[-2] # -1 is the current script.
proxy_roles = getattr(eo, '_proxy_roles', None) proxy_roles = getattr(eo, '_proxy_roles', None)
if proxy_roles: if proxy_roles:
roles = proxy_roles
return proxy_roles return proxy_roles
return u.getRolesInContext(ob) roles = u.getRolesInContext(ob)
return roles
if guard.permissions:
# Require at least one role for required roles for the given permission.
if u_roles is None:
u_roles = getRoles()
for p in guard.permissions:
if set(rolesForPermissionOn(p, ob)).intersection(u_roles):
break
else:
return 0
if guard.roles:
# Require at least one of the given roles. # Require at least one of the given roles.
if u_roles is None:
u_roles = getRoles() u_roles = getRoles()
for role in guard.roles: for role in guard.roles:
if role in u_roles: if role in u_roles:
...@@ -137,7 +142,6 @@ def checkGuard(guard, ob): ...@@ -137,7 +142,6 @@ def checkGuard(guard, ob):
return 0 return 0
if guard.groups: if guard.groups:
# Require at least one of the specified groups. # Require at least one of the specified groups.
if sm is None:
sm = getSecurityManager() sm = getSecurityManager()
u = sm.getUser() u = sm.getUser()
b = aq_base( u ) b = aq_base( u )
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7