erp5_hal_json_style: Check if access is restricted prior traversing documents

bt5/erp5_hal_json_style/SkinTemplateItem/portal_skins/erp5_hal_json_style/ERP5Document_getHateoas.py

@@ -532,6 +532,20 @@ def parseActionUrl(url):
     'url': url
   }
 
+def redirectToLoginForm():
+  login_relative_url = site_root.getLayoutProperty("configuration_login", default="")
+  if (login_relative_url):
+    response.setHeader(
+      'WWW-Authenticate',
+      'X-Delegate uri="%s"' % (url_template_dict["login_template"] % {
+        "root_url": site_root.absolute_url(),
+        "login": login_relative_url
+      })
+    )
+  response.setStatus(401)
+  return ""
+
+
 def getFormRelativeUrl(form):
   return portal.portal_catalog(
     portal_type=("ERP5 Form", "ERP5 Report"),
@@ -1324,17 +1338,7 @@ def calculateHateoas(is_portal=None, is_site_root=None, traversed_document=None,
     }
 
   if (restricted == 1) and (portal.portal_membership.isAnonymousUser()):
-    login_relative_url = site_root.getLayoutProperty("configuration_login", default="")
-    if (login_relative_url):
-      response.setHeader(
-        'WWW-Authenticate',
-        'X-Delegate uri="%s"' % (url_template_dict["login_template"] % {
-          "root_url": site_root.absolute_url(),
-          "login": login_relative_url
-        })
-      )
-    response.setStatus(401)
-    return ""
+    return redirectToLoginForm()
 
   elif mime_type != traversed_document.Base_handleAcceptHeader([mime_type]):
     response.setStatus(406)
@@ -2187,6 +2191,10 @@ else:
 
 context.Base_prepareCorsResponse(RESPONSE=response)
 
+# Check if restricted prior traversing any documents
+if (restricted == 1) and (portal.portal_membership.isAnonymousUser()):
+  return redirectToLoginForm()
+
 # Check if traversed_document is the site_root
 if relative_url:
   temp_traversed_document = site_root.restrictedTraverse(relative_url, None)