[Erp5-report] r38378 jerome - /erp5/trunk/products/ERP5Type/Accessor/Base.py

nobody at svn.erp5.org nobody at svn.erp5.org
Wed Sep 15 09:30:41 CEST 2010 

Author: jerome
Date: Wed Sep 15 09:30:39 2010
New Revision: 38378

URL: http://svn.erp5.org?rev=38378&view=rev
Log:
honor class defined security for generated accessors.

Modified:
    erp5/trunk/products/ERP5Type/Accessor/Base.py

Modified: erp5/trunk/products/ERP5Type/Accessor/Base.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5Type/Accessor/Base.py?rev=38378&r1=38377&r2=38378&view=diff
==============================================================================
--- erp5/trunk/products/ERP5Type/Accessor/Base.py [utf8] (original)
+++ erp5/trunk/products/ERP5Type/Accessor/Base.py [utf8] Wed Sep 15 09:30:39 2010
@@ -106,15 +106,23 @@ class Setter(Method):
     class __roles__:
       @staticmethod
       def rolesForPermissionOn(ob):
+        im_self = ob.im_self
+        name = '%s__roles__' % ob.__name__
         # we explictly call _aq_dynamic to prevent acquiering the attribute
         # from container
-        roles = ob.im_self._aq_dynamic('%s__roles__' % ob.__name__)
+        roles = im_self._aq_dynamic(name)
         if roles is None:
-            return rolesForPermissionOn(None, ob.im_self, ('Manager',),
+            # lookup on the class, as getRoles gives priority to ob.__roles__
+            # over class.ob__roles__, this way we have an opportunity to define
+            # security on the class for generated methods.
+            class_role = getattr(im_self.__class__, name, im_self)
+            if class_role is not im_self:
+                return class_role
+            return rolesForPermissionOn(None, im_self, ('Manager',),
                                         '_Modify_portal_content_Permission')
         else:
             # wrap explicitly, because we used _aq_dynamic
-            return roles.__of__(ob.im_self)
+            return roles.__of__(im_self)
 
 
 from Products.CMFCore.Expression import Expression
@@ -183,15 +191,20 @@ class Getter(Method):
     class __roles__:
       @staticmethod
       def rolesForPermissionOn(ob):
+        im_self = ob.im_self
+        name = '%s__roles__' % ob.__name__
         # we explictly call _aq_dynamic to prevent acquiering the attribute
         # from container
-        roles = ob.im_self._aq_dynamic('%s__roles__' % ob.__name__)
+        roles = im_self._aq_dynamic(name)
         if roles is None:
-            return rolesForPermissionOn(None, ob.im_self, ('Manager',),
+            class_role = getattr(im_self.__class__, name, im_self)
+            if class_role is not im_self:
+                return class_role
+            return rolesForPermissionOn(None, im_self, ('Manager',),
                                         '_Access_contents_information_Permission')
         else:
             # wrap explicitly, because we used _aq_dynamic
-            return roles.__of__(ob.im_self)
+            return roles.__of__(im_self)
 
 
 class Tester(Method):

More information about the Erp5-report mailing list