[Erp5-report] r21255 - /erp5/trunk/products/ERP5/Document/Document.py

nobody at svn.erp5.org nobody at svn.erp5.org
Sat May 31 12:42:37 CEST 2008 

Author: yo
Date: Sat May 31 12:42:36 2008
New Revision: 21255

URL: http://svn.erp5.org?rev=21255&view=rev
Log:
Rewrite the code of forcing authorization, so that Unauthorized is raised, only if authorization is forced in a given context, and a document can be retrieved in an unrestricted way. Otherwise, a traversal fails for any attribute that does not exist with Unauthorized, and indexing may fail.

Modified:
    erp5/trunk/products/ERP5/Document/Document.py

Modified: erp5/trunk/products/ERP5/Document/Document.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5/Document/Document.py?rev=21255&r1=21254&r2=21255&view=diff
==============================================================================
--- erp5/trunk/products/ERP5/Document/Document.py (original)
+++ erp5/trunk/products/ERP5/Document/Document.py Sat May 31 12:42:36 2008
@@ -47,6 +47,7 @@
 from Products.ERP5Type.Cache import getReadOnlyTransactionCache
 from Products.ERP5.Document.Url import UrlMixIn
 from Products.ERP5.Tool.ContributionTool import MAX_REPEAT
+from Products.ERP5Type.UnrestrictedMethod import UnrestrictedMethod
 from AccessControl import Unauthorized
 
 _MARKER = []
@@ -308,17 +309,16 @@
                                             original_id=document.getId(),
                                             editable_absolute_url=document.absolute_url()))
       return document.__of__(self)
+
     # no document found for current user, still such document may exists
     # in some cases user (like Anonymous) can not view document according to portal catalog
     # but we may ask him to login if such a document exists
-    # XXX: make sure document exists
-    if getattr(self,  'isAuthorizationForced',  None) is not None:
-      if self.isAuthorizationForced():
+    isAuthorizationForced = getattr(self, 'isAuthorizationForced', None)
+    if isAuthorizationForced is not None and isAuthorizationForced():
+      getDocumentValue = UnrestrictedMethod(self.getDocumentValue)
+      if getDocumentValue(name=name, portal=portal) is not None:
         # force user to login as specified in Web Section
         raise Unauthorized
-    else:
-      # force user to login unconditionally of context
-      raise Unauthorized
 
   security.declareProtected(Permissions.View, 'getDocumentValue')
   def getDocumentValue(self, name=None, portal=None, **kw):

More information about the Erp5-report mailing list