[Erp5-report] r21362 - /erp5/trunk/products/ERP5Type/UnrestrictedMethod.py

nobody at svn.erp5.org nobody at svn.erp5.org
Thu Jun 5 19:24:32 CEST 2008 

Author: yo
Date: Thu Jun  5 19:24:30 2008
New Revision: 21362

URL: http://svn.erp5.org?rev=21362&view=rev
Log:
Change the handling of Anonymous User.

Modified:
    erp5/trunk/products/ERP5Type/UnrestrictedMethod.py

Modified: erp5/trunk/products/ERP5Type/UnrestrictedMethod.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5Type/UnrestrictedMethod.py?rev=21362&r1=21361&r2=21362&view=diff
==============================================================================
--- erp5/trunk/products/ERP5Type/UnrestrictedMethod.py (original)
+++ erp5/trunk/products/ERP5Type/UnrestrictedMethod.py Thu Jun  5 19:24:30 2008
@@ -27,9 +27,13 @@
 ##############################################################################
 
 from AccessControl.User import UnrestrictedUser
-from Products.ERP5Security.ERP5UserManager import SUPER_USER
+from AccessControl.SpecialUsers import system
 from AccessControl.SecurityManagement import getSecurityManager, \
         newSecurityManager, setSecurityManager
+try:
+  from Zope2 import app
+except ImportError:
+  from Zope import app
 
 class PrivilegedUser(UnrestrictedUser):
   """User that bypasses all security checks, but retains an original
@@ -68,23 +72,25 @@
   def __call__(self, *args, **kw):
     security_manager = getSecurityManager()
     user = security_manager.getUser()
-    isAnonymousUser =  user.getUserName()=='Anonymous User'
-    if user.getId() is None and not isAnonymousUser:
+    anonymous = (user.getUserName() == 'Anonymous User')
+    if user.getId() is None and not anonymous:
       # This is a special user, thus the user is not allowed to own objects.
       super_user = UnrestrictedUser(user.getUserName(), None,
                                     user.getRoles(), user.getDomains())
-    elif isAnonymousUser:
-      # switch to ERP5 SUPER_USER
-      # XXX: hard-coded username and roles (this is bad but no way we could 
-      # currently get context (i.e. switch to roles of owner of portal)
-      # another possibility is to pass username, roles from outside in constructor
-      super_user = UnrestrictedUser(SUPER_USER, None,
-                                    ('Manager', 'Assignor' ), ('',))
     else:
-      uf = user.aq_inner.aq_parent
-      # XXX is it better to get roles from the parent (i.e. portal)?
+      try:
+        # XXX is it better to get roles from the parent (i.e. portal)?
+        uf = user.aq_inner.aq_parent
+      except AttributeError:
+        uf = app().acl_users
       role_list = uf.valid_roles()
-      super_user = PrivilegedUser(user.getId(), None,
+      if anonymous:
+        # If the user is anonymous, use the id of the system user,
+        # so that it would not be treated as an unauthorized user.
+        user_id = str(system)
+      else:
+        user_id = user.getId()
+      super_user = PrivilegedUser(user_id, None,
                                   role_list, user.getDomains()).__of__(uf)
     newSecurityManager(None, super_user)
     try:

More information about the Erp5-report mailing list