Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

api.user.grant_roles: issue when no username is passed and obj is not None #418

Open
ale-rt opened this issue Oct 30, 2018 · 1 comment
Open

api.user.grant_roles: issue when no username is passed and obj is not None #418

ale-rt opened this issue Oct 30, 2018 · 1 comment

Comments

@ale-rt
Copy link
Member

ale-rt commented Oct 30, 2018

Looking at

plone.api/src/plone/api/user.py

Lines 365 to 383 in a8361ed

if user is None:
user = get(username=username)
# check we got a user
if user is None:
raise InvalidParameterError('User could not be found')
if isinstance(roles, tuple):
roles = list(roles)
# These roles cannot be granted
if 'Anonymous' in roles or 'Authenticated' in roles:
raise InvalidParameterError
if obj is None:
actual_roles = get_roles(user=user)
else:
# only roles persistent on the object, not from other providers
actual_roles = obj.get_local_roles_for_userid(username)
roles = list(set(actual_roles) | set(roles))

It seems that calling api.user.grant_roles(user=user, obj=obj) will remove all the roles because we will invoke:

plone.api/src/plone/api/user.py

Line 382 in a8361ed

actual_roles = obj.get_local_roles_for_userid(username)

passing None as a username.
@ale-rt
Copy link
Member Author

ale-rt commented Oct 30, 2018
edited

This needs a confirmation, I just got this suspect looking at the code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ale-rt