Commit 4a4a329f authored by Łukasz Nowak's avatar Łukasz Nowak

Secure certificate management.

Use by default checkUserCanChangePassword, but as in ERP5 users do not have
such persmission to Person document which defines them, check if logged in user
login is same as document reference.
parent e55b5bf8
from AccessControl import ClassSecurityInfo from AccessControl import ClassSecurityInfo, Unauthorized, getSecurityManager
from Products.ERP5.Document.Person import Person as ERP5Person from Products.ERP5.Document.Person import Person as ERP5Person
class Person(ERP5Person): class Person(ERP5Person):
security = ClassSecurityInfo() security = ClassSecurityInfo()
security.declarePublic('getCertificate') security.declarePublic('getCertificate')
def _checkReference(self): def _checkCertificateRequest(self):
if not self.getReference(): try:
raise ValueError('No reference set.') self.checkUserCanChangePassword()
except Unauthorized:
# in ERP5 user has no SetOwnPassword permission on Person document
# referring himself, so implement "security" by checking that currently
# logged in user is trying to get/revoke his own certificate
reference = self.getReference()
if not reference:
raise
if getSecurityManager().getUser().getId() != reference:
raise
def _getCertificate(self): def _getCertificate(self):
return self.getPortalObject().portal_certificate_authority\ return self.getPortalObject().portal_certificate_authority\
...@@ -18,13 +28,11 @@ class Person(ERP5Person): ...@@ -18,13 +28,11 @@ class Person(ERP5Person):
def getCertificate(self): def getCertificate(self):
"""Returns new SSL certificate""" """Returns new SSL certificate"""
self._checkReference() self._checkCertificateRequest()
self.checkUserCanChangePassword()
return self._getCertificate() return self._getCertificate()
security.declarePublic('revokeCertificate') security.declarePublic('revokeCertificate')
def revokeCertificate(self): def revokeCertificate(self):
"""Revokes existing certificate""" """Revokes existing certificate"""
self._checkReference() self._checkCertificateRequest()
self.checkUserCanChangePassword()
self._revokeCertificate() self._revokeCertificate()
242 243
\ No newline at end of file \ No newline at end of file
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment