Commit 9fdef63c by Jérome Perrin

ERP5: prevent using NotificationTool directly

We don't want users to be able to use the tool and send arbitrary
notifications to other users.
1 parent b717db2c
...@@ -32,6 +32,7 @@ from Products.CMFCore.utils import getToolByName ...@@ -32,6 +32,7 @@ from Products.CMFCore.utils import getToolByName
from Products.ERP5Type.Tool.BaseTool import BaseTool from Products.ERP5Type.Tool.BaseTool import BaseTool
from Products.ERP5Type import Permissions from Products.ERP5Type import Permissions
from AccessControl import ModuleSecurityInfo from AccessControl import ModuleSecurityInfo
from zExceptions import Unauthorized
from Products.ERP5 import _dtmldir from Products.ERP5 import _dtmldir
from mimetypes import guess_type from mimetypes import guess_type
...@@ -237,7 +238,8 @@ class NotificationTool(BaseTool): ...@@ -237,7 +238,8 @@ class NotificationTool(BaseTool):
check_consistency=False, check_consistency=False,
message_text_format='text/plain', message_text_format='text/plain',
event_keyword_argument_dict=None, event_keyword_argument_dict=None,
portal_type_list=None): portal_type_list=None,
REQUEST=None):
""" """
This method provides a common API to send messages to erp5 users This method provides a common API to send messages to erp5 users
from object actions of workflow scripts. from object actions of workflow scripts.
...@@ -284,6 +286,8 @@ class NotificationTool(BaseTool): ...@@ -284,6 +286,8 @@ class NotificationTool(BaseTool):
TODO: support default notification email TODO: support default notification email
""" """
if REQUEST is not None:
  • I first considered disallowing GET requests only, thinking that this method already performs authentication and that we could want to use this API from javascript or something, but let's reconsider this once we have a real use case.

raise Unauthorized()
portal = self.getPortalObject() portal = self.getPortalObject()
searchUsers = self.acl_users.searchUsers searchUsers = self.acl_users.searchUsers
def getUserValueByUserId(user_id): def getUserValueByUserId(user_id):
......
Styling with Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!