Skip to content

erp5
erp5
Commit 472f5d8b authored by Jérome Perrin's avatar Jérome Perrin
Browse files
Options

PreferenceTool: fix missing security on getPreference

parent b2a2c97c
Hide whitespace changes
Inline Side-by-side
Showing with 4 additions and 2 deletions
bt5/erp5_core_test/TestTemplateItem/portal_components/test.erp5.testPreferences.py
View file @ 472f5d8b
......@@ -651,6 +651,7 @@ class TestPreferences(PropertySheetTestCase):
preference_tool.manage_permission(read_permission, [], 0)
obj.manage_permission(read_permission, [], 0)
self.assertFalse(guarded_hasattr(preference_tool, 'getPreferredToto'))
self.assertEqual(preference_tool.getPreference('toto'), None)
preference_tool.manage_permission(read_permission, ['Manager'], 1)
......
product/ERP5Form/PreferenceTool.py
View file @ 472f5d8b
......@@ -30,6 +30,7 @@
from AccessControl import ClassSecurityInfo
from AccessControl.SecurityManagement import getSecurityManager,\
setSecurityManager, newSecurityManager
from AccessControl.ZopeGuards import guarded_getattr
from MethodObject import Method
from Products.ERP5Type.Globals import InitializeClass, DTMLFile
from zLOG import LOG, PROBLEM
......@@ -128,8 +129,8 @@ class PreferenceTool(BaseTool):
security.declarePublic('getPreference')
def getPreference(self, pref_name, default=_marker) :
""" get the preference on the most appopriate Preference object. """
method = getattr(self, 'get%s' % convertToUpperCase(pref_name), None)
""" get the preference on the most appropriate Preference object. """
method = guarded_getattr(self, 'get%s' % convertToUpperCase(pref_name), None)
if method is not None:
return method(default)
if default is _marker:
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7