From 9b702c12d0889beeabef7ce9f6608440c91ac03b Mon Sep 17 00:00:00 2001
From: Jean-Paul Smets <jp@nexedi.com>
Date: Sat, 13 Jan 2007 15:08:05 +0000
Subject: [PATCH] Added extra check to make sure View permission is required to
 render a Form.

git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@12059 20353a03-c40f-0410-a6d1-a30d3c3de9de
---
 product/ERP5Form/Form.py | 29 +++++++++++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/product/ERP5Form/Form.py b/product/ERP5Form/Form.py
index 7bb16798de..2c1c2158f7 100644
--- a/product/ERP5Form/Form.py
+++ b/product/ERP5Form/Form.py
@@ -32,7 +32,9 @@ from Products.Formulator.Errors import FormValidationError, ValidationError
 from Products.Formulator.DummyField import fields
 from Products.Formulator.XMLToForm import XMLToForm
 from Products.PageTemplates.ZopePageTemplate import ZopePageTemplate
-from Products.ERP5Type import PropertySheet
+from Products.CMFCore.utils import _checkPermission
+from Products.CMFCore.exceptions import AccessControl_Unauthorized
+from Products.ERP5Type import PropertySheet, Permissions
 
 from urllib import quote
 from Globals import InitializeClass, PersistentMapping, DTMLFile, get_request
@@ -362,12 +364,35 @@ class ERP5Form(ZMIForm, ZopePageTemplate):
 
     # Proxy method to PageTemplate
     def __call__(self, *args, **kwargs):
+        # Security
+        #
+        # The minimal action consists in checking that
+        # we have View permission on the current object
+        # before rendering a form. Otherwise, object with
+        # AccessContentInformation can be viewed by invoking
+        # a form directly.
+        #
+        # What would be better is to prevent calling certain
+        # forms to render objects. This can not be done
+        # through actions since we are using sometimes forms
+        # to render the results of a report dialog form.
+        # An a appropriate solutions could consist in adding
+        # a permission field to the form. Another solutions
+        # is the use of REFERER in the rendering process.
+        #
+        # Both solutions are not perfect if the goal is, for
+        # example, to prevent displaying private information of
+        # staff. The only real solution is to use a special
+        # permission (ex. AccessPrivateInformation) for those
+        # properties which are sensitive.
         if not kwargs.has_key('args'):
             kwargs['args'] = args
         form = self
         object = getattr(form, 'aq_parent', None)
-        if object:
+        if object is not None:
           container = object.aq_inner.aq_parent
+          if not _checkPermission(Permissions.View, object):
+            raise AccessControl_Unauthorized('This document is not authorizes for view.')
         else:
           container = None
         pt = getattr(self,self.pt)
-- 
2.30.9