Merge pull request #19 from plone/move-participation

Move participation to after traversal
plone · Nov 21, 2016 · 7ff6ec8 · 7ff6ec8
2 parents 591b62b + 0b3da48
commit 7ff6ec8
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 12 deletions.
diff --git a/src/plone.server/CHANGELOG.rst b/src/plone.server/CHANGELOG.rst
@@ -7,6 +7,9 @@
 1.0a6 (2016-11-21)
 ------------------
 
+- Move authorization to after traversal
+  [vangheem]
+
 - Fix issue where you could not save data with the API
   [vangheem]
 

diff --git a/src/plone.server/plone/server/traversal.py b/src/plone.server/plone/server/traversal.py
@@ -109,18 +109,7 @@ async def subrequest(orig_request, path, relative_to_site=True,
 async def traverse(request, parent, path):
     """Do not use outside the main router function."""
     if IApplication.providedBy(parent):
-        # Manager participation
-        participation = parent.root_participation(request)
-        if participation:
-            logger.info('Root Participation added')
-            request.security.add(participation)
-
-        # User participation
-        participation = IParticipation(request)
-        # Lets extract the user from the request
-        await participation()
-        if participation.principal is not None:
-            request.security.add(participation)
+        request.application = parent
 
     if not path:
         return parent, path
@@ -329,6 +318,8 @@ async def real_resolve(self, request):
             view_name = tail[0]
             traverse_to = tail[1:]
 
+        await self.apply_authorization(request)
+
         translator = queryMultiAdapter(
             (language_object, resource, request),
             ITranslated)
@@ -407,3 +398,17 @@ async def traverse(self, request):
         path = tuple(p for p in request.path.split('/') if p)
         root = self._root
         return await traverse(request, root, path)
+
+    async def apply_authorization(self, request):
+        # first, use default root participation
+        participation = request.application.root_participation(request)
+        if participation:
+            logger.info('Root Participation added')
+            request.security.add(participation)
+
+        # User participation
+        participation = IParticipation(request)
+        # Lets extract the user from the request
+        await participation()
+        if participation.principal is not None:
+            request.security.add(participation)