Commit 3fbddb7f authored by Kazuhiko Shiozaki's avatar Kazuhiko Shiozaki

permissions guard check should also respect caller's proxy roles like roles guard.

parent 77fa7de1
...@@ -10,13 +10,13 @@ ...@@ -10,13 +10,13 @@
# FOR A PARTICULAR PURPOSE # FOR A PARTICULAR PURPOSE
# #
############################################################################## ##############################################################################
from Products.CMFCore.utils import _checkPermission
from Products.DCWorkflow.Guard import Guard from Products.DCWorkflow.Guard import Guard
from Products.PythonScripts.PythonScript import PythonScript from Products.PythonScripts.PythonScript import PythonScript
from App.special_dtml import DTMLFile from App.special_dtml import DTMLFile
from Products.ERP5Type import _dtmldir from Products.ERP5Type import _dtmldir
from AccessControl import ClassSecurityInfo, getSecurityManager from AccessControl import ClassSecurityInfo, getSecurityManager
from AccessControl.class_init import InitializeClass from AccessControl.class_init import InitializeClass
from AccessControl.PermissionRole import rolesForPermissionOn
from OFS.misc_ import p_ from OFS.misc_ import p_
from App.ImageFile import ImageFile from App.ImageFile import ImageFile
from Acquisition import aq_base, aq_parent from Acquisition import aq_base, aq_parent
...@@ -109,27 +109,32 @@ def checkGuard(guard, ob): ...@@ -109,27 +109,32 @@ def checkGuard(guard, ob):
# returns 1 if guard passes against ob, else 0. # returns 1 if guard passes against ob, else 0.
# TODO : implement TALES evaluation by defining an appropriate # TODO : implement TALES evaluation by defining an appropriate
# context. # context.
sm = None u_roles = None
def getRoles():
sm = getSecurityManager()
u = sm.getUser()
stack = sm._context.stack
if stack and len(stack) > 1:
eo = stack[-2] # -1 is the current script.
proxy_roles = getattr(eo, '_proxy_roles', None)
if proxy_roles:
roles = proxy_roles
return proxy_roles
roles = u.getRolesInContext(ob)
return roles
if guard.permissions: if guard.permissions:
# Require at least one role for required roles for the given permission.
if u_roles is None:
u_roles = getRoles()
for p in guard.permissions: for p in guard.permissions:
if _checkPermission(p, ob): if set(rolesForPermissionOn(p, ob)).intersection(u_roles):
break break
else: else:
return 0 return 0
if guard.roles: if guard.roles:
if sm is None:
sm = getSecurityManager()
u = sm.getUser()
def getRoles():
stack = sm._context.stack
if stack and len(stack) > 1:
eo = stack[-2] # -1 is the current script.
proxy_roles = getattr(eo, '_proxy_roles', None)
if proxy_roles:
return proxy_roles
return u.getRolesInContext(ob)
# Require at least one of the given roles. # Require at least one of the given roles.
u_roles = getRoles() if u_roles is None:
u_roles = getRoles()
for role in guard.roles: for role in guard.roles:
if role in u_roles: if role in u_roles:
break break
...@@ -137,9 +142,8 @@ def checkGuard(guard, ob): ...@@ -137,9 +142,8 @@ def checkGuard(guard, ob):
return 0 return 0
if guard.groups: if guard.groups:
# Require at least one of the specified groups. # Require at least one of the specified groups.
if sm is None: sm = getSecurityManager()
sm = getSecurityManager() u = sm.getUser()
u = sm.getUser()
b = aq_base( u ) b = aq_base( u )
if hasattr( b, 'getGroupsInContext' ): if hasattr( b, 'getGroupsInContext' ):
u_groups = u.getGroupsInContext( ob ) u_groups = u.getGroupsInContext( ob )
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment