Avoid removeSecurityProxy calls in browser/logintoken.py
Bug #62674 reported by
Guilherme Salgado
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Triaged
|
Low
|
Unassigned |
Bug Description
In that file we have to remove the security proxy of a person object in three different places, because we have a scenario where the user is not logged in but we need to set some attributes that require the launchpad.Edit permission. Since at these points we know the user interacting with the system has access to the email address registered for the account in context, we could avoid removing the security proxy by logging in the user and then setting the attributes.
tags: | added: tech-debt |
security vulnerability: | yes → no |
visibility: | private → public |
To post a comment you must log in.
I've tried this by calling the BaseLoginTokenV iew.logInPerson ByEmail( ) method, but it didn't work.
As Bjorn pointed out, this might be because that method doesn't replace the current anonymous interaction with a new authenticated one.