Commit 2ab66283 authored by Łukasz Nowak's avatar Łukasz Nowak

Security fix: check Assignment in case of Person.

parent c6097304
...@@ -48,6 +48,7 @@ from Products.ERP5Type.ERP5Type \ ...@@ -48,6 +48,7 @@ from Products.ERP5Type.ERP5Type \
import ERP5TYPE_SECURITY_GROUP_ID_GENERATION_SCRIPT import ERP5TYPE_SECURITY_GROUP_ID_GENERATION_SCRIPT
from Products.ERP5Type.Cache import CachingMethod from Products.ERP5Type.Cache import CachingMethod
from Products.ZSQLCatalog.SQLCatalog import Query, ComplexQuery from Products.ZSQLCatalog.SQLCatalog import Query, ComplexQuery
from Products.ERP5Security.ERP5UserManager import getValidAssignmentList
#Form for new plugin in ZMI #Form for new plugin in ZMI
manage_addVifibMachineAuthenticationPluginForm = PageTemplateFile( manage_addVifibMachineAuthenticationPluginForm = PageTemplateFile(
...@@ -148,6 +149,10 @@ class VifibMachineAuthenticationPlugin(BasePlugin): ...@@ -148,6 +149,10 @@ class VifibMachineAuthenticationPlugin(BasePlugin):
user_list = self.getUserByLogin(login) user_list = self.getUserByLogin(login)
if len(user_list) != 1: if len(user_list) != 1:
return None return None
user = user_list[0]
if user.getPortalType() == 'Person':
if len(getValidAssignmentList(user)) == 0:
return None
return (login, login) return (login, login)
def getUserByLogin(self, login): def getUserByLogin(self, login):
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment