Commit 49c95945 authored by Vincent Pelletier's avatar Vincent Pelletier Committed by Eteri

ERP5Security.ERP5UserLoginManager: Special-case user_id='System Processes'

Because of ERP5Type.UnrestrictedMethod, 'System Processes' can own objects.
Such objects can be proxy-role'd scripts, and proxy-role mechanism
triggers many users look-ups (each time security is evaluated, which is
virtually every getattr). Each such lookup will do a query for 'System
Processes' user, which will (hopefully) find nothing anyway.
So special-case 'System Processes' when looking by user_id by skipping
the search altogether (enforcing the inability to locate this user,
consistently with Zope assumptions, and consistently with previous
behaviour).
parent 6f4a3fe7
......@@ -40,11 +40,12 @@ from AccessControl import SpecialUsers
from Shared.DC.ZRDB.DA import DatabaseError
from zLOG import LOG, ERROR
SYSTEM_USER_USER_NAME = SpecialUsers.system.getUserName()
# To prevent login thieves
SPECIAL_USER_NAME_SET = (
ERP5Security.SUPER_USER,
SpecialUsers.nobody.getUserName(),
SpecialUsers.system.getUserName(),
SYSTEM_USER_USER_NAME,
# Note: adding emergency_user is pointless as its login is variable, so no
# way to prevent another user from stealing its login.
)
......@@ -196,6 +197,10 @@ class ERP5LoginUserManager(BasePlugin):
# PluggableAuthService.searchUsers.
if isinstance(id, str):
id = (id, )
# Short-cut "System Processes" as not being searchable by user_id.
# This improves performance in proxy-role'd execution by avoiding an
# sql query expected to find no user.
id = [x for x in id if x != SYSTEM_USER_USER_NAME]
if id:
if exact_match:
requested = set(id).__contains__
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment