Open ramonski opened 8 years ago
Bypassing the security check:
security.declarePublic('unSubscribe')
def unSubscribe(self, subscriber_id, REQUEST=None):
"""The subscriber clicked the Unsubscribe button
"""
subscriber = self.getSubscriberById(subscriber_id)
if subscriber is not None:
parent = subscriber.aq_parent
# Bypassing security check
#parent.manage_delObjects([subscriber_id, ])
from Products.CMFCore.PortalFolder import PortalFolderBase as PortalFolder
PortalFolder.manage_delObjects(parent, [subscriber_id, ])
newSecurityManager(REQUEST, ownerOfObject(self))
if REQUEST is not None:
REQUEST.RESPONSE.redirect(self.absolute_url() + '/NewsletterTheme_unsubscribed')
return
Problem
A newsletter subscriber is not allowed to unsubscribe within a
NewsletterBTree
folderSteps to reproduce
subscribers
subscribers
folder to store newsletter subscribersSubscriber_editForm
, e.g.http://localhost:8080/Plone/nl/subscribers/00002LIEsh/Subscriber_editForm
Traceback
Analysis
The
unsubscribe
method of the moduleNewsletterTheme.py
is called:Depending if the subscriber object is within the
NewsletterTheme
folder or within aNewsletterBTree
, different methods ofmanage_delObjects
are called.Within
NewsletterTheme
:Zope2-2.13.23-py2.7.egg/OFS/ObjectManager.py(513)manage_delObjects()
Within
NewsletterBTree
:Products.Archetypes-1.9.10-py2.7.egg/Products/Archetypes/BaseFolder.py(109)manage_delObjects()
The last call check security, which causes the
Unauthorized
Error