fix(auth): Install to arbitrary ZODB OFS hierarchy

Don't assume that all Plone portals will be installed directly into the Zope root or that all ancestors above the Plone portal will have `./acl_users`. I don't have a case for this, I just noticed it when I was reading the code while working on Zope root auth issues. Also clarify the PAS install plugin process with comments.
plone · Feb 14, 2022 · 75aa812 · 75aa812
1 parent 68e9cdb
commit 75aa812
Showing 1 changed file with 11 additions and 2 deletions.
diff --git a/src/plone/restapi/setuphandlers.py b/src/plone/restapi/setuphandlers.py
@@ -33,8 +33,15 @@ def getNonInstallableProducts(self):  # pragma: no cover
 def install_pas_plugin(context):
     uf_parent = aq_inner(context)
     while True:
-        uf = getToolByName(uf_parent, "acl_users")
-        if IPluggableAuthService.providedBy(uf) and "jwt_auth" not in uf:
+        uf = getToolByName(uf_parent, "acl_users", default=None)
+
+        # Skip ancestor contexts to which we don't/can't apply
+        if uf is None or not IPluggableAuthService.providedBy(uf):
+            uf_parent = aq_parent(uf_parent)
+            continue
+
+        # Add the API token plugin if not already installed at this level
+        if "jwt_auth" not in uf:
             plugin = JWTAuthenticationPlugin("jwt_auth")
             uf._setObject(plugin.getId(), plugin)
             plugin = uf["jwt_auth"]
@@ -46,6 +53,8 @@ def install_pas_plugin(context):
                     "ICredentialsResetPlugin",
                 ],
             )
+
+        # Go up one more level
         if uf_parent is uf_parent.getPhysicalRoot():
             break
         uf_parent = aq_parent(uf_parent)