[Erp5-report] r38475 jerome - /erp5/trunk/products/ERP5Type/Accessor/Base.py

nobody at svn.erp5.org nobody at svn.erp5.org
Mon Sep 20 11:35:16 CEST 2010 

Author: jerome
Date: Mon Sep 20 11:35:15 2010
New Revision: 38475

URL: http://svn.erp5.org?rev=38475&view=rev
Log:
fix accesors security.
Class defined permissions are somtimes given as a permission role, sometimes
directly as a list or as None. We have to make a difference for the cases where
_aq_dynamic returns None and cases where security is set to None

Modified:
    erp5/trunk/products/ERP5Type/Accessor/Base.py

Modified: erp5/trunk/products/ERP5Type/Accessor/Base.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5Type/Accessor/Base.py?rev=38475&r1=38474&r2=38475&view=diff
==============================================================================
--- erp5/trunk/products/ERP5Type/Accessor/Base.py [utf8] (original)
+++ erp5/trunk/products/ERP5Type/Accessor/Base.py [utf8] Mon Sep 20 11:35:15 2010
@@ -117,10 +117,14 @@ class Setter(Method):
         roles = getattr(im_self.__class__, name, im_self)
         if roles is im_self:
           roles = im_self._aq_dynamic(name)
-        if roles is None:
-          return rolesForPermissionOn(None, im_self, ('Manager',),
-                                      '_Modify_portal_content_Permission')
-        return roles.__of__(im_self)
+          if roles is None:
+            return rolesForPermissionOn(None, im_self, ('Manager',),
+                                        '_Modify_portal_content_Permission')
+        # if roles has an __of__ method, call it explicitly, as the Method
+        # already has an __of__ method that has been already called at this
+        # point.
+        roles = getattr(roles, '__of__', lambda aq_parent: roles)(im_self)
+        return roles
 
 
 from Products.CMFCore.Expression import Expression
@@ -196,10 +200,11 @@ class Getter(Method):
         roles = getattr(im_self.__class__, name, im_self)
         if roles is im_self:
           roles = im_self._aq_dynamic(name)
-        if roles is None:
-          return rolesForPermissionOn(None, im_self, ('Manager',),
-                                      '_Access_contents_information_Permission')
-        return roles.__of__(im_self)
+          if roles is None:
+            return rolesForPermissionOn(None, im_self, ('Manager',),
+                                        '_Access_contents_information_Permission')
+        roles = getattr(roles, '__of__', lambda aq_parent: roles)(im_self)
+        return roles
 
 
 class Tester(Method):

More information about the Erp5-report mailing list