[Erp5-report] r26886 - in /erp5/trunk/products/ERP5: Document/ Tool/ tests/

nobody at svn.erp5.org nobody at svn.erp5.org
Fri May 8 06:05:00 CEST 2009 

Author: yusei
Date: Fri May  8 06:05:00 2009
New Revision: 26886

URL: http://svn.erp5.org?rev=26886&view=rev
Log:
Rename _setPasswordByForce to __setPasswordByForce and edit method cannot call it.

Modified:
    erp5/trunk/products/ERP5/Document/Person.py
    erp5/trunk/products/ERP5/Tool/PasswordTool.py
    erp5/trunk/products/ERP5/tests/testPerson.py

Modified: erp5/trunk/products/ERP5/Document/Person.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5/Document/Person.py?rev=26886&r1=26885&r2=26886&view=diff
==============================================================================
--- erp5/trunk/products/ERP5/Document/Person.py [utf8] (original)
+++ erp5/trunk/products/ERP5/Document/Person.py [utf8] Fri May  8 06:05:00 2009
@@ -207,7 +207,7 @@
     # public method(They are callable from user directly or through edit method)
     # _setPasswordByForce is needed to reset password without security check
     # by Password Tool.
-    def _setPasswordByForce(self, value):
+    def __setPasswordByForce(self, value):
       self.password = PersistentMapping()
       self._setEncodedPassword(pw_encrypt(value))
 
@@ -215,7 +215,7 @@
       if not _checkPermission(Permissions.SetOwnPassword, self):
         raise AccessControl_Unauthorized('setPassword')
       else:
-        self._setPasswordByForce(value)
+        self.__setPasswordByForce(value)
 
     security.declarePublic('setPassword')
     def setPassword(self, value) :

Modified: erp5/trunk/products/ERP5/Tool/PasswordTool.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5/Tool/PasswordTool.py?rev=26886&r1=26885&r2=26886&view=diff
==============================================================================
--- erp5/trunk/products/ERP5/Tool/PasswordTool.py [utf8] (original)
+++ erp5/trunk/products/ERP5/Tool/PasswordTool.py [utf8] Fri May  8 06:05:00 2009
@@ -200,7 +200,11 @@
     self.password_request_dict.pop(password_key)
     persons = self.acl_users.erp5_users.getUserByLogin(user_login)              
     person = persons[0]
-    person._setPasswordByForce(password)
+    # Calling private method starts with __ from outside is normally BAD,
+    # but if we leave the method as a normal method starts with _ and follow
+    # our naming convention, then the method can be callable through edit
+    # method without appropriate permission check and then security breaks.
+    person._Person__setPasswordByForce(password)
     person.reindexObject()
     if REQUEST is not None:
       msg = translateString("Password changed.")

Modified: erp5/trunk/products/ERP5/tests/testPerson.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5/tests/testPerson.py?rev=26886&r1=26885&r2=26886&view=diff
==============================================================================
--- erp5/trunk/products/ERP5/tests/testPerson.py [utf8] (original)
+++ erp5/trunk/products/ERP5/tests/testPerson.py [utf8] Fri May  8 06:05:00 2009
@@ -145,6 +145,10 @@
     # specific permission.
     p.setPassword(None)
     self.assertFalse(p.getPassword())
+    # Make sure that edit method cannot call __setPasswordByForce and nothing
+    # changes.
+    p.edit(password_by_force='waaa')
+    self.assertFalse(p.getPassword())
 
     p.manage_permission(Permissions.SetOwnPassword, ['Anonymous'], 0)
     p.setPassword('secret')

More information about the Erp5-report mailing list