Commit 2bb8b788 authored by Xiaowu Zhang's avatar Xiaowu Zhang

erp5_hal_json_style: check permission before access any document

parent ffb55b51
...@@ -2102,6 +2102,19 @@ else: ...@@ -2102,6 +2102,19 @@ else:
context.Base_prepareCorsResponse(RESPONSE=response) context.Base_prepareCorsResponse(RESPONSE=response)
if (restricted == 1) and (portal.portal_membership.isAnonymousUser()):
login_relative_url = site_root.getLayoutProperty("configuration_login", default="")
if (login_relative_url):
response.setHeader(
'WWW-Authenticate',
'X-Delegate uri="%s"' % (url_template_dict["login_template"] % {
"root_url": site_root.absolute_url(),
"login": login_relative_url
})
)
response.setStatus(401)
return ""
# Check if traversed_document is the site_root # Check if traversed_document is the site_root
if relative_url: if relative_url:
temp_traversed_document = site_root.restrictedTraverse(relative_url, None) temp_traversed_document = site_root.restrictedTraverse(relative_url, None)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment