Commit 6e014198 authored by Aurel's avatar Aurel

do not join anylonger with roles_and_user table when doing

search/countResults, instead make a first request to get security uid
in pass the result


git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@12959 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent febb03ac
...@@ -45,7 +45,7 @@ from Products.CMFCore.Expression import Expression ...@@ -45,7 +45,7 @@ from Products.CMFCore.Expression import Expression
from Products.PageTemplates.Expressions import getEngine from Products.PageTemplates.Expressions import getEngine
from MethodObject import Method from MethodObject import Method
import os, time, urllib import os, time, urllib, warnings
from zLOG import LOG from zLOG import LOG
SECURITY_USING_NUX_USER_GROUPS, SECURITY_USING_PAS = range(2) SECURITY_USING_NUX_USER_GROUPS, SECURITY_USING_PAS = range(2)
...@@ -425,13 +425,32 @@ class CatalogTool (UniqueObject, ZCatalog, CMFCoreCatalogTool, ActiveObject): ...@@ -425,13 +425,32 @@ class CatalogTool (UniqueObject, ZCatalog, CMFCoreCatalogTool, ActiveObject):
return allowedRolesAndUsers return allowedRolesAndUsers
security.declarePrivate('getSecurityUid')
def getSecurityUid(self, **kw):
"""
Return list of security oid for given roles list
"""
catalog = self.getSQLCatalog()
method = getattr(catalog, catalog.sql_search_security, '')
if method in ('', None):
# XXX old way, should not be used anylonger
warnings.warn("The usage of allowedRolesAndUsers is deprecated.\n"
"Please update your business template erp5_mysql_innodb.",
DeprecationWarning)
kw['allowedRolesAndUsers'] = self.getAllowedRolesAndUsers(**kw)
else:
allowedRolesAndUsers = ["'%s'" % (role, ) for role in self.getAllowedRolesAndUsers(**kw)]
security_uid_list = [x.uid for x in method(security_roles_list = allowedRolesAndUsers)]
kw['security_uid'] = security_uid_list
return kw
# searchResults has inherited security assertions. # searchResults has inherited security assertions.
def searchResults(self, REQUEST=None, **kw): def searchResults(self, REQUEST=None, **kw):
""" """
Calls ZCatalog.searchResults with extra arguments that Calls ZCatalog.searchResults with extra arguments that
limit the results to what the user is allowed to see. limit the results to what the user is allowed to see.
""" """
kw[ 'allowedRolesAndUsers' ] = self.getAllowedRolesAndUsers(**kw) # XXX allowedRolesAndUsers naming is wrong kw = self.getSecurityUid(**kw)
if not _checkPermission( if not _checkPermission(
CMFCorePermissions.AccessInactivePortalContent, self ): CMFCorePermissions.AccessInactivePortalContent, self ):
...@@ -457,11 +476,7 @@ class CatalogTool (UniqueObject, ZCatalog, CMFCoreCatalogTool, ActiveObject): ...@@ -457,11 +476,7 @@ class CatalogTool (UniqueObject, ZCatalog, CMFCoreCatalogTool, ActiveObject):
Calls ZCatalog.countResults with extra arguments that Calls ZCatalog.countResults with extra arguments that
limit the results to what the user is allowed to see. limit the results to what the user is allowed to see.
""" """
kw[ 'allowedRolesAndUsers' ] = self.getAllowedRolesAndUsers(**kw) # XXX allowedRolesAndUsers naming is wrong kw = self.getSecurityUid(**kw)
# Forget about permissions in statistics
# (we should not count lines more than once with statistic expressions)
if kw.has_key('select_expression'): del kw[ 'allowedRolesAndUsers' ]
# XXX This needs to be set again # XXX This needs to be set again
#if not _checkPermission( #if not _checkPermission(
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment