[Erp5-dev] security-unaware catalog calls
Jean-Paul Smets
jp at nexedi.com
Sat Jan 20 15:18:06 CET 2007
Le samedi 20 janvier 2007 14:20, bartek a écrit :
> Hello
>
> If I am writing a Product class and I need to check something in the
> portal_catalog, but bypassing security restrictions - is delegation to a
> Script (Python) with proxy roles the only way to do it, or can it be
> done from the class?
Using proxy roles on scripts does not help since catalog and SQL methods are
use the user security context.
Have a look to aq_dynamic of WebSection.py for an example of solution.
Another way is to add a method to catalog (ERP5 Catalog)
unrestrictedSearchResults
unrestrictedCountResults
which does not take into account allowedRoles and users. I do not know if
this is already implemented or not but it is generallt agreed to be
needed.
This method could be called from a script with proxy roles
JPS.
>
> Bartek
> _______________________________________________
> Erp5-dev mailing list
> Erp5-dev at erp5.org
> http://erp5.org/mailman/listinfo/erp5-dev
--
Jean-Paul Smets-Solanes, Nexedi CEO - Tel. +33(0)6 62 05 76 14
Nexedi: Consulting and Development of Libre / Open Source Software
http://www.nexedi.com
ERP5: Libre/ Open Source ERP Software for small and medium companies
http://www.erp5.org
Rentalinux: Desktop Linux Server
http://www.rentalinux.com
More information about the Erp5-dev
mailing list