Zope CMF buildout

Proxy Roles does't work for a Script using portal_catalog.searchResults

Bug #161629 reported by james wang
2
Affects Status Importance Assigned to Milestone
Zope CMF buildout
Fix Released
Medium
Tres Seaver

Bug Description

if some contents is not allowed to be searched by portal search utility, but need to be searched out using Script(Python) with proxy_roles( one of the use cases is card verfification),the Products.CMFPlone.CatalogTool.searchResults() method will ignore the proxy role setting with kw['allowedRolesAndUsers']= self._listAllowedRolesAndUsers(user)

so if we can added the Proxy roles in the kw['allowedRolesAndUsers'], it will be correct.

Revision history for this message
james wang (jwzope) wrote :

Index: CatalogTool.py
===================================================================
--- CatalogTool.py (Revision 38302)
+++ CatalogTool.py (working copy)
@@ -15,7 +15,7 @@
 $Id$
 """

-from AccessControl import ClassSecurityInfo
+from AccessControl import ClassSecurityInfo,getSecurityManager
 from AccessControl.PermissionRole import rolesForPermissionOn
 from DateTime import DateTime
 from Globals import DTMLFile
@@ -275,7 +275,14 @@
                     query = (lo, hi)
                     range = 'min:max'
                 kw[k] = {'query': query, 'range': range}
+ else:
+ eo = getSecurityManager()._context.stack[-1]
+ proxy_roles = getattr(eo,'_proxy_roles',None)
+ if proxy_roles:
+ for r in proxy_roles:
+ kw['allowedRolesAndUsers'].append(r)

+
         return ZCatalog.searchResults(self, REQUEST, **kw)

     __call__ = searchResults

Revision history for this message
Stefan H. Holek (stefanholek) wrote :

Oh the horror :-).

Can't you use portal_catalog.unrestrictedSearchResults() ??

Revision history for this message
Tres Seaver (tseaver) wrote :

Status: Pending => Accepted

 Supporters added: tseaver

Uploaded: issue_380.patch

> = Comment - Entry #3 by shh on Feb 17, 2006 4:37 am
>
> Oh the horror :-).
>
> Can't you use portal_catalog.unrestrictedSearchResults() ??

Not from untrusted code, which is the only point in adking for
proxy roles in the first place.

> Index: CatalogTool.py
> ===================================================================
> --- CatalogTool.py (Revision 38302)
> +++ CatalogTool.py (working copy)
> @@ -15,7 +15,7 @@
> $Id$
> """
>
> -from AccessControl import ClassSecurityInfo
> +from AccessControl import ClassSecurityInfo,getSecurityManager
> from AccessControl.PermissionRole import rolesForPermissionOn
> from DateTime import DateTime
> from Globals import DTMLFile
> @@ -275,7 +275,14 @@
> query = (lo, hi)
> range = 'min:max'
> kw[k] = {'query': query, 'range': range}
> + else:
> + eo = getSecurityManager()._context.stack[-1]
> + proxy_roles = getattr(eo,'_proxy_roles',None)
> + if proxy_roles:
> + for r in proxy_roles:
> + kw['allowedRolesAndUsers'].append(r)
>
> +
> return ZCatalog.searchResults(self, REQUEST, **kw)
>
> __call__ = searchResults

This patch is not workable, because it ignores the fact that
proxy roles must *replace*, not supplement, the user's roles.

I'm attaching a patch, with tests, which makes proxy roles work
by changing how the catalog looks up the effective roles.

Revision history for this message
Tres Seaver (tseaver) wrote :

Status: Accepted => Resolved

Fix checked in on the 2.0 branch:

  http://svn.zope.org/CMF/branches/2.0/?rev=69961&view=rev

and the head:

  http://svn.zope.org/CMF/trunk/?rev=69962&view=rev

Revision history for this message
kanu (kanu2) wrote :

my problem with _listAllowedRolesAndUsers() is that
>getattr(eo, '_proxy_roles', None)
 returns a empty tuple if there is no proxy_role. Thus,
>if proxy_roles is not None:
 will always match. So in the end _listAllowedRolesAndUsers() returns
['Anonymous','user:xxx'] even for managers.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.