mixin.erp5.BaseExtensibleTraversableMixin: Do not call PAS with a fake request

As already documented in this code, unrestrictedTraverse provides a flat dict as "request" argument. PAS plugins cannot work with such fake request, so such _extractUserIds call will not succeed in authenticating the user, and instead produces (suppressed) exceptions within PAS. As a result, neither codepaths can be followed: - PAS cannot find any user, hence "if len(user_list) > 0:" is false - the "else" codepath starts with "request._auth", which obviously raises when request is a dict So, reorder the code so that the nature of the request is checked before either codepath is entered, skipping the bulk of this code and avoiding calling into PAS.

mixin.erp5.BaseExtensibleTraversableMixin: Do not call PAS with a fake request
As already documented in this code, unrestrictedTraverse provides a flat dict as "request" argument. PAS plugins cannot work with such fake request, so such _extractUserIds call will not succeed in authenticating the user, and instead produces (suppressed) exceptions within PAS. As a result, neither codepaths can be followed: - PAS cannot find any user, hence "if len(user_list) > 0:" is false - the "else" codepath starts with "request._auth", which obviously raises when request is a dict So, reorder the code so that the nature of the request is checked before either codepath is entered, skipping the bulk of this code and avoiding calling into PAS.
67988359 · Vincent Pelletier · 99e4a6c7 · 67988359
Commit 67988359 authored Oct 19, 2023 by Vincent Pelletier
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 6 deletions

product/ERP5/bootstrap/erp5_core/MixinTemplateItem/portal_components/mixin.erp5.BaseExtensibleTraversableMixin.py ...l_components/mixin.erp5.BaseExtensibleTraversableMixin.py +7 -6

No files found.
--- a/product/ERP5/bootstrap/erp5_core/MixinTemplateItem/portal_components/mixin.erp5.BaseExtensibleTraversableMixin.py
+++ b/product/ERP5/bootstrap/erp5_core/MixinTemplateItem/portal_components/mixin.erp5.BaseExtensibleTraversableMixin.py
@@ -90,13 +90,19 @@ class BaseExtensibleTraversableMixin(ExtensibleTraversableMixin):
            else:
              has_published = True
            try:
+              auth = request._auth
+            except AttributeError:
+              # This kind of error happens with unrestrictedTraverse,
+              # because the request object is a fake, and it is just
+              # a dict object.
+              user = None
+            else:
              name = None
              acl_users = self.getPortalObject().acl_users
              user_list = acl_users._extractUserIds(request, acl_users.plugins)
              if len(user_list) > 0:
                name = user_list[0][0]
              else:
-                auth = request._auth
                # this logic is copied from identify() in
                # AccessControl.User.BasicUserFolder.
                if auth and auth.lower().startswith('basic '):
@@ -105,11 +111,6 @@ class BaseExtensibleTraversableMixin(ExtensibleTraversableMixin):
                user = portal_membership._huntUser(name, self)
              else:
                user = None
-            except AttributeError:
-              # This kind of error happens with unrestrictedTraverse,
-              # because the request object is a fake, and it is just
-              # a dict object.
-              user = None
            if not has_published:
              try:
                del request.other['PUBLISHED']