[Erp5-report] r12063 - /erp5/trunk/products/ERP5Type/Base.py
nobody at svn.erp5.org
nobody at svn.erp5.org
Sat Jan 13 16:37:34 CET 2007
Author: jp
Date: Sat Jan 13 16:37:33 2007
New Revision: 12063
URL: http://svn.erp5.org?rev=12063&view=rev
Log:
Add security declarations for the class and make the __call__ permission consistent with the view and list permissions.
Modified:
erp5/trunk/products/ERP5Type/Base.py
Modified: erp5/trunk/products/ERP5Type/Base.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5Type/Base.py?rev=12063&r1=12062&r2=12063&view=diff
==============================================================================
--- erp5/trunk/products/ERP5Type/Base.py (original)
+++ erp5/trunk/products/ERP5Type/Base.py Sat Jan 13 16:37:33 2007
@@ -386,8 +386,11 @@
aq_preference_generated = 0
# FIXME: Preference should not be included in ERP5Type
- # Declarative security
+ # Declarative security - in ERP5 we use AccessContentsInformation to
+ # define the right of accessing content properties as opposed
+ # to view which is the right to view the object with a form
security = ClassSecurityInfo()
+ security.declareObjectProtected(Permissions.AccessContentsInformation)
# Declarative properties
property_sheets = ( PropertySheet.Base, )
@@ -1847,17 +1850,22 @@
except TypeError:
return None
- # Default views
+ # Default views - the default security in CMFCore
+ # is View - however, security was not defined on
+ # __call__ - to be consistent, between view and
+ # __call__ we have to define permission here to View
+ security.declareProtected(Permissions.View, '__call__')
+
security.declareProtected(Permissions.View, 'list')
def list(self,reset=0):
- '''
- Returns the default list even if folder_contents is overridden.
- '''
- list_action = _getViewFor(self, view='list')
- if getattr(aq_base(list_action), 'isDocTemp', 0):
- return apply(list_action, (self, self.REQUEST),reset=reset)
- else:
- return list_action(reset=reset)
+ """
+ Returns the default list even if folder_contents is overridden.
+ """
+ list_action = _getViewFor(self, view='list')
+ if getattr(aq_base(list_action), 'isDocTemp', 0):
+ return apply(list_action, (self, self.REQUEST),reset=reset)
+ else:
+ return list_action(reset=reset)
# Proxy methods for security reasons
security.declareProtected(Permissions.AccessContentsInformation, 'getOwnerInfo')
More information about the Erp5-report
mailing list