Rewrite the code of forcing authorization, so that Unauthorized is raised,...

Rewrite the code of forcing authorization, so that Unauthorized is raised, only if authorization is forced in a given context, and a document can be retrieved in an unrestricted way. Otherwise, a traversal fails for any attribute that does not exist with Unauthorized, and indexing may fail. git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@21255 20353a03-c40f-0410-a6d1-a30d3c3de9de

Rewrite the code of forcing authorization, so that Unauthorized is raised,...
Rewrite the code of forcing authorization, so that Unauthorized is raised, only if authorization is forced in a given context, and a document can be retrieved in an unrestricted way. Otherwise, a traversal fails for any attribute that does not exist with Unauthorized, and indexing may fail. git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@21255 20353a03-c40f-0410-a6d1-a30d3c3de9de
c0effc15 · Yoshinori Okuji · a2c29757 · c0effc15
Commit c0effc15 authored May 31, 2008 by Yoshinori Okuji
Show whitespace changes
Inline Side-by-side

Showing with 6 additions and 6 deletions

product/ERP5/Document/Document.py product/ERP5/Document/Document.py +6 -6

No files found.
--- a/product/ERP5/Document/Document.py
+++ b/product/ERP5/Document/Document.py
@@ -47,6 +47,7 @@ from Products.ERP5Type.ExtensibleTraversable import ExtensibleTraversableMixIn
 from Products.ERP5Type.Cache import getReadOnlyTransactionCache
 from Products.ERP5.Document.Url import UrlMixIn
 from Products.ERP5.Tool.ContributionTool import MAX_REPEAT
+from Products.ERP5Type.UnrestrictedMethod import UnrestrictedMethod
 from AccessControl import Unauthorized

 _MARKER = []
@@ -308,17 +309,16 @@ class PermanentURLMixIn(ExtensibleTraversableMixIn):
                                            original_id=document.getId(),
                                            editable_absolute_url=document.absolute_url()))
      return document.__of__(self)
+
    # no document found for current user, still such document may exists
    # in some cases user (like Anonymous) can not view document according to portal catalog
    # but we may ask him to login if such a document exists
-    # XXX: make sure document exists
-    if getattr(self,  'isAuthorizationForced',  None) is not None:
-      if self.isAuthorizationForced():
+    isAuthorizationForced = getattr(self, 'isAuthorizationForced', None)
+    if isAuthorizationForced is not None and isAuthorizationForced():
+      getDocumentValue = UnrestrictedMethod(self.getDocumentValue)
+      if getDocumentValue(name=name, portal=portal) is not None:
        # force user to login as specified in Web Section
        raise Unauthorized
-    else:
-      # force user to login unconditionally of context
-      raise Unauthorized

  security.declareProtected(Permissions.View, 'getDocumentValue')
  def getDocumentValue(self, name=None, portal=None, **kw):