[Erp5-report] r12063 - /erp5/trunk/products/ERP5Type/Base.py

nobody at svn.erp5.org nobody at svn.erp5.org
Sat Jan 13 16:37:34 CET 2007 

Author: jp
Date: Sat Jan 13 16:37:33 2007
New Revision: 12063

URL: http://svn.erp5.org?rev=12063&view=rev
Log:
Add security declarations for the class and make the __call__ permission consistent with the view and list permissions.

Modified:
    erp5/trunk/products/ERP5Type/Base.py

Modified: erp5/trunk/products/ERP5Type/Base.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5Type/Base.py?rev=12063&r1=12062&r2=12063&view=diff
==============================================================================
--- erp5/trunk/products/ERP5Type/Base.py (original)
+++ erp5/trunk/products/ERP5Type/Base.py Sat Jan 13 16:37:33 2007
@@ -386,8 +386,11 @@
   aq_preference_generated = 0
   # FIXME: Preference should not be included in ERP5Type
 
-  # Declarative security
+  # Declarative security - in ERP5 we use AccessContentsInformation to
+  # define the right of accessing content properties as opposed
+  # to view which is the right to view the object with a form
   security = ClassSecurityInfo()
+  security.declareObjectProtected(Permissions.AccessContentsInformation)
 
   # Declarative properties
   property_sheets = ( PropertySheet.Base, )
@@ -1847,17 +1850,22 @@
     except TypeError:
       return None
 
-  # Default views
+  # Default views - the default security in CMFCore
+  # is View - however, security was not defined on
+  # __call__ -  to be consistent, between view and
+  # __call__ we have to define permission here to View
+  security.declareProtected(Permissions.View, '__call__')
+
   security.declareProtected(Permissions.View, 'list')
   def list(self,reset=0):
-        '''
-        Returns the default list even if folder_contents is overridden.
-        '''
-        list_action = _getViewFor(self, view='list')
-        if getattr(aq_base(list_action), 'isDocTemp', 0):
-            return apply(list_action, (self, self.REQUEST),reset=reset)
-        else:
-            return list_action(reset=reset)
+    """
+    Returns the default list even if folder_contents is overridden.
+    """
+    list_action = _getViewFor(self, view='list')
+    if getattr(aq_base(list_action), 'isDocTemp', 0):
+        return apply(list_action, (self, self.REQUEST),reset=reset)
+    else:
+        return list_action(reset=reset)
 
   # Proxy methods for security reasons
   security.declareProtected(Permissions.AccessContentsInformation, 'getOwnerInfo')

More information about the Erp5-report mailing list