Commit 17d3df41 authored by Vincent Pelletier's avatar Vincent Pelletier

ERP5Security.ERP5UserLoginManager: Special-case user_id='System Processes'

Because of ERP5Type.UnrestrictedMethod, 'System Processes' can own objects.
Such objects can be proxy-role'd scripts, and proxy-role mechanism
triggers many users look-ups (each time security is evaluated, which is
virtually every getattr). Each such lookup will do a query for 'System
Processes' user, which will (hopefully) find nothing anyway.
So special-case 'System Processes' when looking by user_id by skipping
the search altogether (enforcing the inability to locate this user,
consistently with Zope assumptions, and consistently with previous
behaviour).
parent 671d24b5
...@@ -40,11 +40,12 @@ from AccessControl import SpecialUsers ...@@ -40,11 +40,12 @@ from AccessControl import SpecialUsers
from Shared.DC.ZRDB.DA import DatabaseError from Shared.DC.ZRDB.DA import DatabaseError
from zLOG import LOG, ERROR from zLOG import LOG, ERROR
SYSTEM_USER_USER_NAME = SpecialUsers.system.getUserName()
# To prevent login thieves # To prevent login thieves
SPECIAL_USER_NAME_SET = ( SPECIAL_USER_NAME_SET = (
ERP5Security.SUPER_USER, ERP5Security.SUPER_USER,
SpecialUsers.nobody.getUserName(), SpecialUsers.nobody.getUserName(),
SpecialUsers.system.getUserName(), SYSTEM_USER_USER_NAME,
# Note: adding emergency_user is pointless as its login is variable, so no # Note: adding emergency_user is pointless as its login is variable, so no
# way to prevent another user from stealing its login. # way to prevent another user from stealing its login.
) )
...@@ -196,6 +197,10 @@ class ERP5LoginUserManager(BasePlugin): ...@@ -196,6 +197,10 @@ class ERP5LoginUserManager(BasePlugin):
# PluggableAuthService.searchUsers. # PluggableAuthService.searchUsers.
if isinstance(id, str): if isinstance(id, str):
id = (id, ) id = (id, )
# Short-cut "System Processes" as not being searchable by user_id.
# This improves performance in proxy-role'd execution by avoiding an
# sql query expected to find no user.
id = [x for x in id if x != SYSTEM_USER_USER_NAME]
if id: if id:
if exact_match: if exact_match:
requested = set(id).__contains__ requested = set(id).__contains__
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment