Add permission check to solve problem accessing private resources wit…

…h anonymous user
RedTurtle · Sep 20, 2023 · 78dfb37 · 78dfb37
1 parent 9eb62b9
commit 78dfb37
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 11 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -4,7 +4,9 @@ Changelog
 6.0.18 (unreleased)
 -------------------
 
-- Nothing changed yet.
+- Add permission check to solve problem accessing private resources with
+  anonymous user
+  [lucabel]
 
 
 6.0.17 (2023-09-06)

diff --git a/src/design/plone/contenttypes/restapi/serializers/summary.py b/src/design/plone/contenttypes/restapi/serializers/summary.py
@@ -241,6 +241,9 @@ def get_incarichi(self):
         for incarico in obj.incarichi_persona:
             if not incarico.to_object:
                 continue
+
+            if not api.user.has_permission("View", obj=incarico.to_object):
+                continue
             incarichi.append(incarico.to_object.title)
         return ", ".join(incarichi)
 
@@ -276,20 +279,26 @@ def __call__(self, force_all_metadata=False):
             res["compensi"] = json_compatible([])
 
         if safe_hasattr(self.context, "compensi-file"):
+            compensi_folder = getattr(self.context, "compensi-file")
             res["compensi_file"] = []
-            for brain in getattr(self.context, "compensi-file").getFolderContents():
-                res["compensi_file"].append(
-                    getMultiAdapter((brain, self.request), ISerializeToJsonSummary)()
-                )
+            if api.user.has_permission("View", obj=compensi_folder):
+                for brain in getattr(self.context, "compensi-file").getFolderContents():
+                    res["compensi_file"].append(
+                        getMultiAdapter(
+                            (brain, self.request), ISerializeToJsonSummary
+                        )()
+                    )
 
         if safe_hasattr(self.context, "importi-di-viaggio-e-o-servizi"):
+            importi_folder = getattr(self.context, "importi-di-viaggio-e-o-servizi")
             res["importi_di_viaggio_e_o_servizi"] = []
-            for brain in getattr(
-                self.context, "importi-di-viaggio-e-o-servizi"
-            ).getFolderContents():
-                res["importi_di_viaggio_e_o_servizi"].append(
-                    getMultiAdapter((brain, self.request), ISerializeToJsonSummary)()
-                )
+            if api.user.has_permission("View", obj=importi_folder):
+                for brain in importi_folder.getFolderContents():
+                    res["importi_di_viaggio_e_o_servizi"].append(
+                        getMultiAdapter(
+                            (brain, self.request), ISerializeToJsonSummary
+                        )()
+                    )
 
         if "atto_di_nomina" not in res:
             res["atto_di_nomina"] = None

diff --git a/src/design/plone/contenttypes/tests/test_ct_persona.py b/src/design/plone/contenttypes/tests/test_ct_persona.py
@@ -7,6 +7,7 @@
     DESIGN_PLONE_CONTENTTYPES_INTEGRATION_TESTING,
 )
 from plone import api
+from plone.app.testing import helpers
 from plone.app.testing import setRoles
 from plone.app.testing import SITE_OWNER_NAME
 from plone.app.testing import SITE_OWNER_PASSWORD
@@ -130,3 +131,27 @@ def test_delete_incarico_and_call_persona(self):
         )()
         # non ho incarichi, ma soprattutto non ho errori
         self.assertTrue(len(summary["incarichi"]) == 0)
+
+    def test_unauthorized_on_subfolder(self):
+        incarico = api.content.create(
+            container=self.persona.incarichi, type="Incarico", title="Sindaco"
+        )
+        commit()
+        intids = getUtility(IIntIds)
+        self.persona.incarichi_persona = [RelationValue(intids.getId(incarico))]
+        api.content.transition(obj=self.persona, transition="publish")
+        commit()
+
+        helpers.logout()
+        # with previous bug this as anonymous user return
+        # AccessControl.unauthorized.Unauthorized: You are not allowed to
+        # access '_Access_inactive_portal_content_Permission' in this context
+        persona_summary = getMultiAdapter(
+            (self.persona, self.request), ISerializeToJsonSummary
+        )()
+        self.assertFalse(persona_summary["incarichi"])
+        incarico_summary = getMultiAdapter(
+            (self.persona.incarichi.sindaco, self.request), ISerializeToJsonSummary
+        )()
+        self.assertEqual(incarico_summary["compensi_file"], [])
+        self.assertEqual(incarico_summary["importi_di_viaggio_e_o_servizi"], [])