Commit 9c2a0089 authored by Romain Courteaud's avatar Romain Courteaud Committed by Cédric de Saint Martin

Allow to force user authentication.

Use the HalRestricted skin selection to prevent anonymous user to access the API.

This allow the JS application to be informed that the user is not authenticated (and so, it can prevent allDocs call without results).

Consider this code as a proof of concept which should be instead be done at PAS level.

Restricted access on WebSection level can not be done currently, as it will redirect the query to the ERP5 login_form page template.
(cherry picked from commit 6fecf063)
parent 3fbc0275
<registered_skin_selection>
<skin_folder_selection>
<skin_folder>erp5_hal_json_restricted_style</skin_folder>
<skin_selection>HalRestricted</skin_selection>
</skin_folder_selection>
<skin_folder_selection>
<skin_folder>erp5_hal_json_style</skin_folder>
<skin_selection>Hal</skin_selection>
<skin_selection>HalRestricted,Hal</skin_selection>
</skin_folder_selection>
<skin_folder_selection>
<skin_folder>erp5_xhtml_style</skin_folder>
<skin_selection>Hal</skin_selection>
<skin_selection>HalRestricted,Hal</skin_selection>
</skin_folder_selection>
</registered_skin_selection>
\ No newline at end of file
<?xml version="1.0"?>
<ZopeData>
<record id="1" aka="AAAAAAAAAAE=">
<pickle>
<global name="Folder" module="OFS.Folder"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>_local_properties</string> </key>
<value>
<tuple>
<dictionary>
<item>
<key> <string>id</string> </key>
<value> <string>business_template_skin_layer_priority</string> </value>
</item>
<item>
<key> <string>type</string> </key>
<value> <string>float</string> </value>
</item>
</dictionary>
</tuple>
</value>
</item>
<item>
<key> <string>_objects</string> </key>
<value>
<tuple/>
</value>
</item>
<item>
<key> <string>business_template_skin_layer_priority</string> </key>
<value> <float>99.5</float> </value>
</item>
<item>
<key> <string>id</string> </key>
<value> <string>erp5_hal_json_restricted_style</string> </value>
</item>
<item>
<key> <string>title</string> </key>
<value> <string></string> </value>
</item>
</dictionary>
</pickle>
</record>
</ZopeData>
<?xml version="1.0"?>
<ZopeData>
<record id="1" aka="AAAAAAAAAAE=">
<pickle>
<global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>Script_magic</string> </key>
<value> <int>3</int> </value>
</item>
<item>
<key> <string>_bind_names</string> </key>
<value>
<object>
<klass>
<global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
</klass>
<tuple/>
<state>
<dictionary>
<item>
<key> <string>_asgns</string> </key>
<value>
<dictionary>
<item>
<key> <string>name_container</string> </key>
<value> <string>container</string> </value>
</item>
<item>
<key> <string>name_context</string> </key>
<value> <string>context</string> </value>
</item>
<item>
<key> <string>name_m_self</string> </key>
<value> <string>script</string> </value>
</item>
<item>
<key> <string>name_subpath</string> </key>
<value> <string>traverse_subpath</string> </value>
</item>
</dictionary>
</value>
</item>
</dictionary>
</state>
</object>
</value>
</item>
<item>
<key> <string>_body</string> </key>
<value> <string># Manually force restricted mode in the ERP5Document_getHateoas\n
# Can not be done quickly with Security handling, as it redirects the request to the login form\n
\n
new_skin_name = "Hal"\n
context.getPortalObject().portal_skins.changeSkin(new_skin_name)\n
if REQUEST is None:\n
REQUEST = context.REQUEST\n
REQUEST.set(\'portal_skin\', new_skin_name)\n
\n
return context.ERP5Document_getHateoas(\n
REQUEST=REQUEST,\n
response=response,\n
view=view,\n
mode=mode,\n
query=query,\n
select_list=select_list,\n
limit=limit,\n
form=form,\n
relative_url=relative_url,\n
restricted=1\n
)\n
</string> </value>
</item>
<item>
<key> <string>_params</string> </key>
<value> <string>REQUEST=None, response=None, view=None, mode=\'root\', query=None, select_list=None, limit=None, form=None, relative_url=None</string> </value>
</item>
<item>
<key> <string>id</string> </key>
<value> <string>ERP5Document_getHateoas</string> </value>
</item>
</dictionary>
</pickle>
</record>
</ZopeData>
......@@ -344,7 +344,7 @@ sql_catalog = portal.portal_catalog.getSQLCatalog()\n
is_web_mode = (context.REQUEST.get(\'current_web_section\', None) is not None) or context.isWebMode()\n
# is_web_mode = traversed_document.isWebMode()\n
if is_web_mode:\n
site_root = context.getWebSiteValue()\n
site_root = context.REQUEST.get(\'current_web_section\', context.getWebSiteValue())\n
else:\n
site_root = portal\n
\n
......@@ -386,8 +386,10 @@ result_dict = {\n
}\n
}\n
\n
if (restricted == 1) and (portal.portal_membership.isAnonymousUser()):\n
response.setStatus(401)\n
\n
if mime_type != traversed_document.Base_handleAcceptHeader([mime_type]):\n
elif mime_type != traversed_document.Base_handleAcceptHeader([mime_type]):\n
response.setStatus(406)\n
return ""\n
\n
......@@ -735,7 +737,7 @@ return json.dumps(result_dict, indent=2)\n
</item>
<item>
<key> <string>_params</string> </key>
<value> <string>REQUEST=None, response=None, view=None, mode=\'root\', query=None, select_list=None, limit=None, form=None, relative_url=None</string> </value>
<value> <string>REQUEST=None, response=None, view=None, mode=\'root\', query=None, select_list=None, limit=None, form=None, relative_url=None, restricted=0</string> </value>
</item>
<item>
<key> <string>id</string> </key>
......
21
\ No newline at end of file
22
\ No newline at end of file
erp5_hal_json_restricted_style | HalRestricted
erp5_hal_json_style | Hal
erp5_xhtml_style | Hal
\ No newline at end of file
erp5_hal_json_style | HalRestricted
erp5_xhtml_style | Hal
erp5_xhtml_style | HalRestricted
\ No newline at end of file
erp5_hal_json_restricted_style
erp5_hal_json_style
\ No newline at end of file
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment