Skip to content

erp5
erp5
Commit 5b2ed66b authored by Romain Courteaud's avatar Romain Courteaud
Browse files
Options

Do not rely on catalog to check permissions. 

Checking with portal_membership is also faster.


git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@13589 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent 2c64ae24
Hide whitespace changes
Inline Side-by-side
Showing with 22 additions and 28 deletions
product/CMFCategory/CategoryTool.py
View file @ 5b2ed66b
......@@ -1295,36 +1295,30 @@ class CategoryTool( UniqueObject, Folder, Base ):
for base_category in base_category_list:
category_list.append("%s/%s" % (base_category, context.getRelativeUrl()))
# XXX TODO Only 'View' permission filtering is implemented now
query = None
if checked_permission is not None:
if isinstance(checked_permission, str):
checked_permission = (checked_permission, )
if 'View' in checked_permission:
# Use catalog for checking the View permission
query = self.portal_catalog.getSecurityQuery()
if query is not None:
query = self.portal_catalog.buildSQLQuery(query=query)
# XXX Is Base_zSearchRelatedObjectsByCategoryList still usefull ?
# It may possible to call portal catalog directly
# Base_zSearchRelatedObjectsByCategoryList add a dependency to ERP5
brain_result = self.Base_zSearchRelatedObjectsByCategoryList(
category_list=category_list,
portal_type=portal_type,
strict_membership=strict_membership,
where_expression=query['where_expression'],
order_by_expression=query['order_by_expression'],)
else:
brain_result = self.Base_zSearchRelatedObjectsByCategoryList(
category_list=category_list,
portal_type=portal_type,
strict_membership=strict_membership)
brain_result = self.Base_zSearchRelatedObjectsByCategoryList(
category_list=category_list,
portal_type=portal_type,
strict_membership=strict_membership)
result = []
for b in brain_result:
o = b.getObject()
if o is not None:
result.append(o)
if checked_permission is None:
# No permission to check
for b in brain_result:
o = b.getObject()
if o is not None:
result.append(o)
else:
# Check permissions on object
if isinstance(checked_permission, str):
checked_permission = (checked_permission, )
checkPermission = self.portal_membership.checkPermission
for b in brain_result:
obj = b.getObject()
if obj is not None:
for permission in checked_permission:
if not checkPermission(permission, obj):
break
result.append(obj)
return result
# XXX missing filter and **kw stuff
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7