Commit a95a5aec authored by Vincent Pelletier's avatar Vincent Pelletier

fixup! ERP5Security.ERP5UserFactory: cache path instead of object.

Apply security in ERP5User methods.
parent a14341a6
...@@ -204,7 +204,7 @@ class ERP5User(PropertiedUser): ...@@ -204,7 +204,7 @@ class ERP5User(PropertiedUser):
""" """
result = self._user_path result = self._user_path
if result is not None: if result is not None:
return self.getPortalObject().unrestrictedTraverse(result) return self.getPortalObject().restrictedTraverse(result)
# user id may match in more than one PAS plugin, but fail if more than one # user id may match in more than one PAS plugin, but fail if more than one
# underlying path is found. # underlying path is found.
user_path_set = {x['path'] for x in self.aq_parent.searchUsers( user_path_set = {x['path'] for x in self.aq_parent.searchUsers(
...@@ -214,7 +214,7 @@ class ERP5User(PropertiedUser): ...@@ -214,7 +214,7 @@ class ERP5User(PropertiedUser):
if user_path_set: if user_path_set:
user_path, = user_path_set user_path, = user_path_set
self._user_path = user_path self._user_path = user_path
return self.getPortalObject().unrestrictedTraverse(user_path) return self.getPortalObject().restrictedTraverse(user_path)
def getLoginValue(self): def getLoginValue(self):
""" -> login document """ -> login document
...@@ -223,7 +223,7 @@ class ERP5User(PropertiedUser): ...@@ -223,7 +223,7 @@ class ERP5User(PropertiedUser):
""" """
result = self._login_path result = self._login_path
if result is not None: if result is not None:
return self.getPortalObject().unrestrictedTraverse(result) return self.getPortalObject().restrictedTraverse(result)
# user name may match at most once, or there can be endless ambiguity. # user name may match at most once, or there can be endless ambiguity.
user_list = [x for x in self.aq_parent.searchUsers( user_list = [x for x in self.aq_parent.searchUsers(
exact_match=True, exact_match=True,
...@@ -233,7 +233,7 @@ class ERP5User(PropertiedUser): ...@@ -233,7 +233,7 @@ class ERP5User(PropertiedUser):
user, = user_list user, = user_list
login, = user['login_list'] login, = user['login_list']
result = self._login_path = login['path'] result = self._login_path = login['path']
return self.getPortalObject().unrestrictedTraverse(result) return self.getPortalObject().restrictedTraverse(result)
def getLoginValueList(self, portal_type=None, limit=None): def getLoginValueList(self, portal_type=None, limit=None):
""" -> list of login documents """ -> list of login documents
...@@ -251,8 +251,8 @@ class ERP5User(PropertiedUser): ...@@ -251,8 +251,8 @@ class ERP5User(PropertiedUser):
) if 'login_list' in user ) if 'login_list' in user
for login in user['login_list'] for login in user['login_list']
} }
unrestrictedTraverse = self.getPortalObject().unrestrictedTraverse restrictedTraverse = self.getPortalObject().restrictedTraverse
return [unrestrictedTraverse(x) for x in user_path_set] return [restrictedTraverse(x) for x in user_path_set]
InitializeClass(ERP5User) InitializeClass(ERP5User)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment