From 1597877cc826d1823893faecd6eb74032148272a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9rome=20Perrin?= <jerome@nexedi.com>
Date: Mon, 24 Jul 2006 14:35:39 +0000
Subject: [PATCH] authentication is not available in before traverse hooks, so
 we have to do manual pseudo security check to allow managers to enter
 arbitrary URLs.

git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@8716 20353a03-c40f-0410-a6d1-a30d3c3de9de
---
 product/ERP5/ERP5Site.py | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/product/ERP5/ERP5Site.py b/product/ERP5/ERP5Site.py
index ff78c965b1..080ed84759 100644
--- a/product/ERP5/ERP5Site.py
+++ b/product/ERP5/ERP5Site.py
@@ -105,14 +105,14 @@ class ReferCheckerBeforeTraverseHook:
     response = request.RESPONSE
     http_url = request.get('ACTUAL_URL', '').strip()
     http_referer = request.get('HTTP_REFERER', '').strip()
-
-    security_manager = AccessControl.getSecurityManager()
-    user = security_manager.getUser()
-    user_roles = user.getRolesInContext(object)
-
-    # Manager can do anything
-    if 'Manager' in user_roles:
-      return
+    
+    user_password = request._authUserPW()
+    if user_password:
+      user = container.acl_users.getUserById(user_password[0]) or\
+              container.aq_parent.acl_users.getUserById(user_password[0])
+      # Manager can do anything
+      if user is not None and 'Manager' in user.getRoles():
+        return
     
     portal_url = container.portal_url.getPortalObject().absolute_url()
     if http_referer != '':
@@ -172,7 +172,9 @@ class ERP5Site(FolderMixIn, CMFSite):
     """
     BeforeTraverse.registerBeforeTraverse(self,
                                         ReferCheckerBeforeTraverseHook(),
-                                        ReferCheckerBeforeTraverseHook.handle)
+                                        ReferCheckerBeforeTraverseHook.handle,
+                             # we want to be registered _after_ CookieCrumbler
+                                        100)
   
   def _disableRefererCheck(self):
     """Disable the HTTP_REFERER check."""
-- 
2.30.9