erp5_hal_json_style: check permission before access any document

2bb8b788 · Xiaowu Zhang · ffb55b51 · 2bb8b788
Commit 2bb8b788 authored Apr 16, 2019 by Xiaowu Zhang
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 0 deletions

bt5/erp5_hal_json_style/SkinTemplateItem/portal_skins/erp5_hal_json_style/ERP5Document_getHateoas.py ...rtal_skins/erp5_hal_json_style/ERP5Document_getHateoas.py +13 -0

No files found.
--- a/bt5/erp5_hal_json_style/SkinTemplateItem/portal_skins/erp5_hal_json_style/ERP5Document_getHateoas.py
+++ b/bt5/erp5_hal_json_style/SkinTemplateItem/portal_skins/erp5_hal_json_style/ERP5Document_getHateoas.py
@@ -2102,6 +2102,19 @@ else:

 context.Base_prepareCorsResponse(RESPONSE=response)

+if (restricted == 1) and (portal.portal_membership.isAnonymousUser()):
+  login_relative_url = site_root.getLayoutProperty("configuration_login", default="")
+  if (login_relative_url):
+    response.setHeader(
+      'WWW-Authenticate',
+      'X-Delegate uri="%s"' % (url_template_dict["login_template"] % {
+        "root_url": site_root.absolute_url(),
+        "login": login_relative_url
+      })
+    )
+  response.setStatus(401)
+  return ""
+
 # Check if traversed_document is the site_root
 if relative_url:
  temp_traversed_document = site_root.restrictedTraverse(relative_url, None)