[Erp5-report] r25775 - in /erp5/trunk/products/ERP5Type: Accessor/ tests/

nobody at svn.erp5.org nobody at svn.erp5.org
Mon Mar 2 14:05:54 CET 2009 

Author: jerome
Date: Mon Mar  2 14:05:52 2009
New Revision: 25775

URL: http://svn.erp5.org?rev=25775&view=rev
Log:
We cannot use aq_base on the object, because accessors security uses
_aq_dynamic. The problem is MethodName__roles__ can be acquired, so one
solution is to call _aq_dynamic explicitly to get MethodName__roles__


Modified:
    erp5/trunk/products/ERP5Type/Accessor/Base.py
    erp5/trunk/products/ERP5Type/tests/testERP5Type.py

Modified: erp5/trunk/products/ERP5Type/Accessor/Base.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5Type/Accessor/Base.py?rev=25775&r1=25774&r2=25775&view=diff
==============================================================================
--- erp5/trunk/products/ERP5Type/Accessor/Base.py [utf8] (original)
+++ erp5/trunk/products/ERP5Type/Accessor/Base.py [utf8] Mon Mar  2 14:05:52 2009
@@ -204,21 +204,27 @@
     class __roles__:
       @staticmethod
       def rolesForPermissionOn(ob):
-        roles = getattr(aq_base(ob.im_self), '%s__roles__' % ob.__name__, None)
+        # we explictly call _aq_dynamic to prevent acquiering the attribute
+        # from container
+        roles = ob.im_self._aq_dynamic('%s__roles__' % ob.__name__)
         if roles is None:
             return rolesForPermissionOn(None, ob.im_self, ('Manager',),
                                         '_Modify_portal_content_Permission')
         else:
-            return roles        
+            # wrap explicitly, because we used _aq_dynamic
+            return roles.__of__(ob.im_self)
     Setter.__roles__ = __roles__
 
     class __roles__:
       @staticmethod
       def rolesForPermissionOn(ob):
-        roles = getattr(aq_base(ob.im_self), '%s__roles__' % ob.__name__, None)
+        # we explictly call _aq_dynamic to prevent acquiering the attribute
+        # from container
+        roles = ob.im_self._aq_dynamic('%s__roles__' % ob.__name__)
         if roles is None:
             return rolesForPermissionOn(None, ob.im_self, ('Manager',),
                                         '_Access_contents_information_Permission')
         else:
-            return roles        
+            # wrap explicitly, because we used _aq_dynamic
+            return roles.__of__(ob.im_self)
     Getter.__roles__ = __roles__

Modified: erp5/trunk/products/ERP5Type/tests/testERP5Type.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5Type/tests/testERP5Type.py?rev=25775&r1=25774&r2=25775&view=diff
==============================================================================
--- erp5/trunk/products/ERP5Type/tests/testERP5Type.py [utf8] (original)
+++ erp5/trunk/products/ERP5Type/tests/testERP5Type.py [utf8] Mon Mar  2 14:05:52 2009
@@ -2467,6 +2467,15 @@
         obj._edit(foo_bar="v3")
         self.assertEqual(obj.getFooBar(), "v3")
 
+    def test_accessor_security_and_getTitle_acquisition(self):
+      obj = self.getOrganisationModule().newContent(portal_type='Organisation')
+      self.assertTrue(guarded_hasattr(obj, 'getTitle'))
+      # getTitle__roles__ is defined on ERP5Site class, so it can be acquired,
+      # and this would be wrong
+      obj.manage_permission(Permissions.View, [], 0)
+      obj.manage_permission(Permissions.AccessContentsInformation, [], 0)
+      self.assertFalse(guarded_hasattr(obj, 'getTitle'))
+
     def test_AddPermission(self):
       # test "Add permission" on ERP5 Type Information
       self.portal.portal_types.manage_addTypeInformation(

More information about the Erp5-report mailing list