[Erp5-report] r25775 - in /erp5/trunk/products/ERP5Type: Accessor/ tests/
nobody at svn.erp5.org
nobody at svn.erp5.org
Mon Mar 2 14:05:54 CET 2009
Author: jerome
Date: Mon Mar 2 14:05:52 2009
New Revision: 25775
URL: http://svn.erp5.org?rev=25775&view=rev
Log:
We cannot use aq_base on the object, because accessors security uses
_aq_dynamic. The problem is MethodName__roles__ can be acquired, so one
solution is to call _aq_dynamic explicitly to get MethodName__roles__
Modified:
erp5/trunk/products/ERP5Type/Accessor/Base.py
erp5/trunk/products/ERP5Type/tests/testERP5Type.py
Modified: erp5/trunk/products/ERP5Type/Accessor/Base.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5Type/Accessor/Base.py?rev=25775&r1=25774&r2=25775&view=diff
==============================================================================
--- erp5/trunk/products/ERP5Type/Accessor/Base.py [utf8] (original)
+++ erp5/trunk/products/ERP5Type/Accessor/Base.py [utf8] Mon Mar 2 14:05:52 2009
@@ -204,21 +204,27 @@
class __roles__:
@staticmethod
def rolesForPermissionOn(ob):
- roles = getattr(aq_base(ob.im_self), '%s__roles__' % ob.__name__, None)
+ # we explictly call _aq_dynamic to prevent acquiering the attribute
+ # from container
+ roles = ob.im_self._aq_dynamic('%s__roles__' % ob.__name__)
if roles is None:
return rolesForPermissionOn(None, ob.im_self, ('Manager',),
'_Modify_portal_content_Permission')
else:
- return roles
+ # wrap explicitly, because we used _aq_dynamic
+ return roles.__of__(ob.im_self)
Setter.__roles__ = __roles__
class __roles__:
@staticmethod
def rolesForPermissionOn(ob):
- roles = getattr(aq_base(ob.im_self), '%s__roles__' % ob.__name__, None)
+ # we explictly call _aq_dynamic to prevent acquiering the attribute
+ # from container
+ roles = ob.im_self._aq_dynamic('%s__roles__' % ob.__name__)
if roles is None:
return rolesForPermissionOn(None, ob.im_self, ('Manager',),
'_Access_contents_information_Permission')
else:
- return roles
+ # wrap explicitly, because we used _aq_dynamic
+ return roles.__of__(ob.im_self)
Getter.__roles__ = __roles__
Modified: erp5/trunk/products/ERP5Type/tests/testERP5Type.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5Type/tests/testERP5Type.py?rev=25775&r1=25774&r2=25775&view=diff
==============================================================================
--- erp5/trunk/products/ERP5Type/tests/testERP5Type.py [utf8] (original)
+++ erp5/trunk/products/ERP5Type/tests/testERP5Type.py [utf8] Mon Mar 2 14:05:52 2009
@@ -2467,6 +2467,15 @@
obj._edit(foo_bar="v3")
self.assertEqual(obj.getFooBar(), "v3")
+ def test_accessor_security_and_getTitle_acquisition(self):
+ obj = self.getOrganisationModule().newContent(portal_type='Organisation')
+ self.assertTrue(guarded_hasattr(obj, 'getTitle'))
+ # getTitle__roles__ is defined on ERP5Site class, so it can be acquired,
+ # and this would be wrong
+ obj.manage_permission(Permissions.View, [], 0)
+ obj.manage_permission(Permissions.AccessContentsInformation, [], 0)
+ self.assertFalse(guarded_hasattr(obj, 'getTitle'))
+
def test_AddPermission(self):
# test "Add permission" on ERP5 Type Information
self.portal.portal_types.manage_addTypeInformation(
More information about the Erp5-report
mailing list