From 1597877cc826d1823893faecd6eb74032148272a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9rome=20Perrin?= <jerome@nexedi.com> Date: Mon, 24 Jul 2006 14:35:39 +0000 Subject: [PATCH] authentication is not available in before traverse hooks, so we have to do manual pseudo security check to allow managers to enter arbitrary URLs. git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@8716 20353a03-c40f-0410-a6d1-a30d3c3de9de --- product/ERP5/ERP5Site.py | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/product/ERP5/ERP5Site.py b/product/ERP5/ERP5Site.py index ff78c965b1..080ed84759 100644 --- a/product/ERP5/ERP5Site.py +++ b/product/ERP5/ERP5Site.py @@ -105,14 +105,14 @@ class ReferCheckerBeforeTraverseHook: response = request.RESPONSE http_url = request.get('ACTUAL_URL', '').strip() http_referer = request.get('HTTP_REFERER', '').strip() - - security_manager = AccessControl.getSecurityManager() - user = security_manager.getUser() - user_roles = user.getRolesInContext(object) - - # Manager can do anything - if 'Manager' in user_roles: - return + + user_password = request._authUserPW() + if user_password: + user = container.acl_users.getUserById(user_password[0]) or\ + container.aq_parent.acl_users.getUserById(user_password[0]) + # Manager can do anything + if user is not None and 'Manager' in user.getRoles(): + return portal_url = container.portal_url.getPortalObject().absolute_url() if http_referer != '': @@ -172,7 +172,9 @@ class ERP5Site(FolderMixIn, CMFSite): """ BeforeTraverse.registerBeforeTraverse(self, ReferCheckerBeforeTraverseHook(), - ReferCheckerBeforeTraverseHook.handle) + ReferCheckerBeforeTraverseHook.handle, + # we want to be registered _after_ CookieCrumbler + 100) def _disableRefererCheck(self): """Disable the HTTP_REFERER check.""" -- 2.30.9