Commit 9fdef63c authored by Jérome Perrin's avatar Jérome Perrin

ERP5: prevent using NotificationTool directly

We don't want users to be able to use the tool and send arbitrary
notifications to other users.
parent b717db2c
......@@ -32,6 +32,7 @@ from Products.CMFCore.utils import getToolByName
from Products.ERP5Type.Tool.BaseTool import BaseTool
from Products.ERP5Type import Permissions
from AccessControl import ModuleSecurityInfo
from zExceptions import Unauthorized
from Products.ERP5 import _dtmldir
from mimetypes import guess_type
......@@ -237,7 +238,8 @@ class NotificationTool(BaseTool):
check_consistency=False,
message_text_format='text/plain',
event_keyword_argument_dict=None,
portal_type_list=None):
portal_type_list=None,
REQUEST=None):
"""
This method provides a common API to send messages to erp5 users
from object actions of workflow scripts.
......@@ -284,6 +286,8 @@ class NotificationTool(BaseTool):
TODO: support default notification email
"""
if REQUEST is not None:
  • I first considered disallowing GET requests only, thinking that this method already performs authentication and that we could want to use this API from javascript or something, but let's reconsider this once we have a real use case.

Please register or sign in to reply
raise Unauthorized()
portal = self.getPortalObject()
searchUsers = self.acl_users.searchUsers
def getUserValueByUserId(user_id):
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment