Comment 3 for bug 161629

Revision history for this message
Tres Seaver (tseaver) wrote :

Status: Pending => Accepted

 Supporters added: tseaver

Uploaded: issue_380.patch

> = Comment - Entry #3 by shh on Feb 17, 2006 4:37 am
>
> Oh the horror :-).
>
> Can't you use portal_catalog.unrestrictedSearchResults() ??

Not from untrusted code, which is the only point in adking for
proxy roles in the first place.

> Index: CatalogTool.py
> ===================================================================
> --- CatalogTool.py (Revision 38302)
> +++ CatalogTool.py (working copy)
> @@ -15,7 +15,7 @@
> $Id$
> """
>
> -from AccessControl import ClassSecurityInfo
> +from AccessControl import ClassSecurityInfo,getSecurityManager
> from AccessControl.PermissionRole import rolesForPermissionOn
> from DateTime import DateTime
> from Globals import DTMLFile
> @@ -275,7 +275,14 @@
> query = (lo, hi)
> range = 'min:max'
> kw[k] = {'query': query, 'range': range}
> + else:
> + eo = getSecurityManager()._context.stack[-1]
> + proxy_roles = getattr(eo,'_proxy_roles',None)
> + if proxy_roles:
> + for r in proxy_roles:
> + kw['allowedRolesAndUsers'].append(r)
>
> +
> return ZCatalog.searchResults(self, REQUEST, **kw)
>
> __call__ = searchResults

This patch is not workable, because it ignores the fact that
proxy roles must *replace*, not supplement, the user's roles.

I'm attaching a patch, with tests, which makes proxy roles work
by changing how the catalog looks up the effective roles.