diff --git a/CHANGES.rst b/CHANGES.rst index 06639655..1d8b8dcd 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -4,7 +4,9 @@ Changelog 6.0.18 (unreleased) ------------------- -- Nothing changed yet. +- Add permission check to solve problem accessing private resources with + anonymous user + [lucabel] 6.0.17 (2023-09-06) diff --git a/src/design/plone/contenttypes/restapi/serializers/summary.py b/src/design/plone/contenttypes/restapi/serializers/summary.py index 91d557dd..aad799df 100644 --- a/src/design/plone/contenttypes/restapi/serializers/summary.py +++ b/src/design/plone/contenttypes/restapi/serializers/summary.py @@ -241,6 +241,9 @@ def get_incarichi(self): for incarico in obj.incarichi_persona: if not incarico.to_object: continue + + if not api.user.has_permission("View", obj=incarico.to_object): + continue incarichi.append(incarico.to_object.title) return ", ".join(incarichi) @@ -276,20 +279,26 @@ def __call__(self, force_all_metadata=False): res["compensi"] = json_compatible([]) if safe_hasattr(self.context, "compensi-file"): + compensi_folder = getattr(self.context, "compensi-file") res["compensi_file"] = [] - for brain in getattr(self.context, "compensi-file").getFolderContents(): - res["compensi_file"].append( - getMultiAdapter((brain, self.request), ISerializeToJsonSummary)() - ) + if api.user.has_permission("View", obj=compensi_folder): + for brain in getattr(self.context, "compensi-file").getFolderContents(): + res["compensi_file"].append( + getMultiAdapter( + (brain, self.request), ISerializeToJsonSummary + )() + ) if safe_hasattr(self.context, "importi-di-viaggio-e-o-servizi"): + importi_folder = getattr(self.context, "importi-di-viaggio-e-o-servizi") res["importi_di_viaggio_e_o_servizi"] = [] - for brain in getattr( - self.context, "importi-di-viaggio-e-o-servizi" - ).getFolderContents(): - res["importi_di_viaggio_e_o_servizi"].append( - getMultiAdapter((brain, self.request), ISerializeToJsonSummary)() - ) + if api.user.has_permission("View", obj=importi_folder): + for brain in importi_folder.getFolderContents(): + res["importi_di_viaggio_e_o_servizi"].append( + getMultiAdapter( + (brain, self.request), ISerializeToJsonSummary + )() + ) if "atto_di_nomina" not in res: res["atto_di_nomina"] = None diff --git a/src/design/plone/contenttypes/tests/test_ct_persona.py b/src/design/plone/contenttypes/tests/test_ct_persona.py index 7a8c7ba6..5d76519a 100644 --- a/src/design/plone/contenttypes/tests/test_ct_persona.py +++ b/src/design/plone/contenttypes/tests/test_ct_persona.py @@ -7,6 +7,7 @@ DESIGN_PLONE_CONTENTTYPES_INTEGRATION_TESTING, ) from plone import api +from plone.app.testing import helpers from plone.app.testing import setRoles from plone.app.testing import SITE_OWNER_NAME from plone.app.testing import SITE_OWNER_PASSWORD @@ -130,3 +131,27 @@ def test_delete_incarico_and_call_persona(self): )() # non ho incarichi, ma soprattutto non ho errori self.assertTrue(len(summary["incarichi"]) == 0) + + def test_unauthorized_on_subfolder(self): + incarico = api.content.create( + container=self.persona.incarichi, type="Incarico", title="Sindaco" + ) + commit() + intids = getUtility(IIntIds) + self.persona.incarichi_persona = [RelationValue(intids.getId(incarico))] + api.content.transition(obj=self.persona, transition="publish") + commit() + + helpers.logout() + # with previous bug this as anonymous user return + # AccessControl.unauthorized.Unauthorized: You are not allowed to + # access '_Access_inactive_portal_content_Permission' in this context + persona_summary = getMultiAdapter( + (self.persona, self.request), ISerializeToJsonSummary + )() + self.assertFalse(persona_summary["incarichi"]) + incarico_summary = getMultiAdapter( + (self.persona.incarichi.sindaco, self.request), ISerializeToJsonSummary + )() + self.assertEqual(incarico_summary["compensi_file"], []) + self.assertEqual(incarico_summary["importi_di_viaggio_e_o_servizi"], [])