fixup! ERP5Security.ERP5UserFactory: cache path instead of object.

Apply security in ERP5User methods.

fixup! ERP5Security.ERP5UserFactory: cache path instead of object.
Apply security in ERP5User methods.
a95a5aec · Vincent Pelletier · a14341a6 · a95a5aec
Commit a95a5aec authored Dec 12, 2016 by Vincent Pelletier
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 6 deletions

product/ERP5Security/ERP5UserFactory.py product/ERP5Security/ERP5UserFactory.py +6 -6

No files found.
--- a/product/ERP5Security/ERP5UserFactory.py
+++ b/product/ERP5Security/ERP5UserFactory.py
@@ -204,7 +204,7 @@ class ERP5User(PropertiedUser):
    """
    result = self._user_path
    if result is not None:
-      return self.getPortalObject().unrestrictedTraverse(result)
+      return self.getPortalObject().restrictedTraverse(result)
    # user id may match in more than one PAS plugin, but fail if more than one
    # underlying path is found.
    user_path_set = {x['path'] for x in self.aq_parent.searchUsers(
@@ -214,7 +214,7 @@ class ERP5User(PropertiedUser):
    if user_path_set:
      user_path, = user_path_set
      self._user_path = user_path
-      return self.getPortalObject().unrestrictedTraverse(user_path)
+      return self.getPortalObject().restrictedTraverse(user_path)

  def getLoginValue(self):
    """ -> login document
@@ -223,7 +223,7 @@ class ERP5User(PropertiedUser):
    """
    result = self._login_path
    if result is not None:
-      return self.getPortalObject().unrestrictedTraverse(result)
+      return self.getPortalObject().restrictedTraverse(result)
    # user name may match at most once, or there can be endless ambiguity.
    user_list = [x for x in self.aq_parent.searchUsers(
      exact_match=True,
@@ -233,7 +233,7 @@ class ERP5User(PropertiedUser):
      user, = user_list
      login, = user['login_list']
      result = self._login_path = login['path']
-      return self.getPortalObject().unrestrictedTraverse(result)
+      return self.getPortalObject().restrictedTraverse(result)

  def getLoginValueList(self, portal_type=None, limit=None):
    """ -> list of login documents
@@ -251,8 +251,8 @@ class ERP5User(PropertiedUser):
      ) if 'login_list' in user
      for login in user['login_list']
    }
-    unrestrictedTraverse = self.getPortalObject().unrestrictedTraverse
-    return [unrestrictedTraverse(x) for x in user_path_set]
+    restrictedTraverse = self.getPortalObject().restrictedTraverse
+    return [restrictedTraverse(x) for x in user_path_set]

 InitializeClass(ERP5User)