[Erp5-report] r12059 - /erp5/trunk/products/ERP5Form/Form.py

nobody at svn.erp5.org nobody at svn.erp5.org
Sat Jan 13 16:08:08 CET 2007 

Author: jp
Date: Sat Jan 13 16:08:05 2007
New Revision: 12059

URL: http://svn.erp5.org?rev=12059&view=rev
Log:
Added extra check to make sure View permission is required to render a Form.

Modified:
    erp5/trunk/products/ERP5Form/Form.py

Modified: erp5/trunk/products/ERP5Form/Form.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5Form/Form.py?rev=12059&r1=12058&r2=12059&view=diff
==============================================================================
--- erp5/trunk/products/ERP5Form/Form.py (original)
+++ erp5/trunk/products/ERP5Form/Form.py Sat Jan 13 16:08:05 2007
@@ -32,7 +32,9 @@
 from Products.Formulator.DummyField import fields
 from Products.Formulator.XMLToForm import XMLToForm
 from Products.PageTemplates.ZopePageTemplate import ZopePageTemplate
-from Products.ERP5Type import PropertySheet
+from Products.CMFCore.utils import _checkPermission
+from Products.CMFCore.exceptions import AccessControl_Unauthorized
+from Products.ERP5Type import PropertySheet, Permissions
 
 from urllib import quote
 from Globals import InitializeClass, PersistentMapping, DTMLFile, get_request
@@ -362,12 +364,35 @@
 
     # Proxy method to PageTemplate
     def __call__(self, *args, **kwargs):
+        # Security
+        #
+        # The minimal action consists in checking that
+        # we have View permission on the current object
+        # before rendering a form. Otherwise, object with
+        # AccessContentInformation can be viewed by invoking
+        # a form directly.
+        #
+        # What would be better is to prevent calling certain
+        # forms to render objects. This can not be done
+        # through actions since we are using sometimes forms
+        # to render the results of a report dialog form.
+        # An a appropriate solutions could consist in adding
+        # a permission field to the form. Another solutions
+        # is the use of REFERER in the rendering process.
+        #
+        # Both solutions are not perfect if the goal is, for
+        # example, to prevent displaying private information of
+        # staff. The only real solution is to use a special
+        # permission (ex. AccessPrivateInformation) for those
+        # properties which are sensitive.
         if not kwargs.has_key('args'):
             kwargs['args'] = args
         form = self
         object = getattr(form, 'aq_parent', None)
-        if object:
+        if object is not None:
           container = object.aq_inner.aq_parent
+          if not _checkPermission(Permissions.View, object):
+            raise AccessControl_Unauthorized('This document is not authorizes for view.')
         else:
           container = None
         pt = getattr(self,self.pt)

More information about the Erp5-report mailing list