From 9b702c12d0889beeabef7ce9f6608440c91ac03b Mon Sep 17 00:00:00 2001 From: Jean-Paul Smets <jp@nexedi.com> Date: Sat, 13 Jan 2007 15:08:05 +0000 Subject: [PATCH] Added extra check to make sure View permission is required to render a Form. git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@12059 20353a03-c40f-0410-a6d1-a30d3c3de9de --- product/ERP5Form/Form.py | 29 +++++++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/product/ERP5Form/Form.py b/product/ERP5Form/Form.py index 7bb16798de..2c1c2158f7 100644 --- a/product/ERP5Form/Form.py +++ b/product/ERP5Form/Form.py @@ -32,7 +32,9 @@ from Products.Formulator.Errors import FormValidationError, ValidationError from Products.Formulator.DummyField import fields from Products.Formulator.XMLToForm import XMLToForm from Products.PageTemplates.ZopePageTemplate import ZopePageTemplate -from Products.ERP5Type import PropertySheet +from Products.CMFCore.utils import _checkPermission +from Products.CMFCore.exceptions import AccessControl_Unauthorized +from Products.ERP5Type import PropertySheet, Permissions from urllib import quote from Globals import InitializeClass, PersistentMapping, DTMLFile, get_request @@ -362,12 +364,35 @@ class ERP5Form(ZMIForm, ZopePageTemplate): # Proxy method to PageTemplate def __call__(self, *args, **kwargs): + # Security + # + # The minimal action consists in checking that + # we have View permission on the current object + # before rendering a form. Otherwise, object with + # AccessContentInformation can be viewed by invoking + # a form directly. + # + # What would be better is to prevent calling certain + # forms to render objects. This can not be done + # through actions since we are using sometimes forms + # to render the results of a report dialog form. + # An a appropriate solutions could consist in adding + # a permission field to the form. Another solutions + # is the use of REFERER in the rendering process. + # + # Both solutions are not perfect if the goal is, for + # example, to prevent displaying private information of + # staff. The only real solution is to use a special + # permission (ex. AccessPrivateInformation) for those + # properties which are sensitive. if not kwargs.has_key('args'): kwargs['args'] = args form = self object = getattr(form, 'aq_parent', None) - if object: + if object is not None: container = object.aq_inner.aq_parent + if not _checkPermission(Permissions.View, object): + raise AccessControl_Unauthorized('This document is not authorizes for view.') else: container = None pt = getattr(self,self.pt) -- 2.30.9