Commit 6c3db78b authored by Cédric Le Ninivin's avatar Cédric Le Ninivin

erp5_hal_json_style: Check if access is restricted prior traversing documents

parent 9da55ffb
...@@ -532,6 +532,20 @@ def parseActionUrl(url): ...@@ -532,6 +532,20 @@ def parseActionUrl(url):
'url': url 'url': url
} }
def redirectToLoginForm():
login_relative_url = site_root.getLayoutProperty("configuration_login", default="")
if (login_relative_url):
response.setHeader(
'WWW-Authenticate',
'X-Delegate uri="%s"' % (url_template_dict["login_template"] % {
"root_url": site_root.absolute_url(),
"login": login_relative_url
})
)
response.setStatus(401)
return ""
def getFormRelativeUrl(form): def getFormRelativeUrl(form):
return portal.portal_catalog( return portal.portal_catalog(
portal_type=("ERP5 Form", "ERP5 Report"), portal_type=("ERP5 Form", "ERP5 Report"),
...@@ -1324,17 +1338,7 @@ def calculateHateoas(is_portal=None, is_site_root=None, traversed_document=None, ...@@ -1324,17 +1338,7 @@ def calculateHateoas(is_portal=None, is_site_root=None, traversed_document=None,
} }
if (restricted == 1) and (portal.portal_membership.isAnonymousUser()): if (restricted == 1) and (portal.portal_membership.isAnonymousUser()):
login_relative_url = site_root.getLayoutProperty("configuration_login", default="") return redirectToLoginForm()
if (login_relative_url):
response.setHeader(
'WWW-Authenticate',
'X-Delegate uri="%s"' % (url_template_dict["login_template"] % {
"root_url": site_root.absolute_url(),
"login": login_relative_url
})
)
response.setStatus(401)
return ""
elif mime_type != traversed_document.Base_handleAcceptHeader([mime_type]): elif mime_type != traversed_document.Base_handleAcceptHeader([mime_type]):
response.setStatus(406) response.setStatus(406)
...@@ -2187,6 +2191,10 @@ else: ...@@ -2187,6 +2191,10 @@ else:
context.Base_prepareCorsResponse(RESPONSE=response) context.Base_prepareCorsResponse(RESPONSE=response)
# Check if restricted prior traversing any documents
if (restricted == 1) and (portal.portal_membership.isAnonymousUser()):
return redirectToLoginForm()
# Check if traversed_document is the site_root # Check if traversed_document is the site_root
if relative_url: if relative_url:
temp_traversed_document = site_root.restrictedTraverse(relative_url, None) temp_traversed_document = site_root.restrictedTraverse(relative_url, None)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment