Commit 9b702c12 authored by Jean-Paul Smets's avatar Jean-Paul Smets

Added extra check to make sure View permission is required to render a Form.

git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@12059 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent bc5cbe75
...@@ -32,7 +32,9 @@ from Products.Formulator.Errors import FormValidationError, ValidationError ...@@ -32,7 +32,9 @@ from Products.Formulator.Errors import FormValidationError, ValidationError
from Products.Formulator.DummyField import fields from Products.Formulator.DummyField import fields
from Products.Formulator.XMLToForm import XMLToForm from Products.Formulator.XMLToForm import XMLToForm
from Products.PageTemplates.ZopePageTemplate import ZopePageTemplate from Products.PageTemplates.ZopePageTemplate import ZopePageTemplate
from Products.ERP5Type import PropertySheet from Products.CMFCore.utils import _checkPermission
from Products.CMFCore.exceptions import AccessControl_Unauthorized
from Products.ERP5Type import PropertySheet, Permissions
from urllib import quote from urllib import quote
from Globals import InitializeClass, PersistentMapping, DTMLFile, get_request from Globals import InitializeClass, PersistentMapping, DTMLFile, get_request
...@@ -362,12 +364,35 @@ class ERP5Form(ZMIForm, ZopePageTemplate): ...@@ -362,12 +364,35 @@ class ERP5Form(ZMIForm, ZopePageTemplate):
# Proxy method to PageTemplate # Proxy method to PageTemplate
def __call__(self, *args, **kwargs): def __call__(self, *args, **kwargs):
# Security
#
# The minimal action consists in checking that
# we have View permission on the current object
# before rendering a form. Otherwise, object with
# AccessContentInformation can be viewed by invoking
# a form directly.
#
# What would be better is to prevent calling certain
# forms to render objects. This can not be done
# through actions since we are using sometimes forms
# to render the results of a report dialog form.
# An a appropriate solutions could consist in adding
# a permission field to the form. Another solutions
# is the use of REFERER in the rendering process.
#
# Both solutions are not perfect if the goal is, for
# example, to prevent displaying private information of
# staff. The only real solution is to use a special
# permission (ex. AccessPrivateInformation) for those
# properties which are sensitive.
if not kwargs.has_key('args'): if not kwargs.has_key('args'):
kwargs['args'] = args kwargs['args'] = args
form = self form = self
object = getattr(form, 'aq_parent', None) object = getattr(form, 'aq_parent', None)
if object: if object is not None:
container = object.aq_inner.aq_parent container = object.aq_inner.aq_parent
if not _checkPermission(Permissions.View, object):
raise AccessControl_Unauthorized('This document is not authorizes for view.')
else: else:
container = None container = None
pt = getattr(self,self.pt) pt = getattr(self,self.pt)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment