[Erp5-report] r34474 jerome - in /erp5/trunk/products/ERP5Type: Core/ tests/
nobody at svn.erp5.org
nobody at svn.erp5.org
Mon Apr 12 17:19:05 CEST 2010
Author: jerome
Date: Mon Apr 12 17:19:01 2010
New Revision: 34474
URL: http://svn.erp5.org?rev=34474&view=rev
Log:
validate copy & paste according to ERP5Type rules (ie. "Add permission" on the
type information)
Modified:
erp5/trunk/products/ERP5Type/Core/Folder.py
erp5/trunk/products/ERP5Type/tests/testERP5Type.py
Modified: erp5/trunk/products/ERP5Type/Core/Folder.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5Type/Core/Folder.py?rev=34474&r1=34473&r2=34474&view=diff
==============================================================================
--- erp5/trunk/products/ERP5Type/Core/Folder.py [utf8] (original)
+++ erp5/trunk/products/ERP5Type/Core/Folder.py [utf8] Mon Apr 12 17:19:01 2010
@@ -29,12 +29,13 @@
import transaction
from AccessControl import ClassSecurityInfo
-from Acquisition import aq_base, aq_self, aq_parent
+from Acquisition import aq_base, aq_self, aq_parent, aq_inner
from OFS.History import Historical
from OFS.Folder import Folder as OFSFolder
import ExtensionClass
-from Products.CMFCore.utils import _getAuthenticatedUser
+from Products.CMFCore.utils import _getAuthenticatedUser, getToolByName
+from Products.CMFCore.exceptions import AccessControl_Unauthorized
from Products.CMFCore.CMFCatalogAware import CMFCatalogAware
from Products.CMFCore.PortalFolder import ContentFilter
@@ -1507,6 +1508,41 @@
raise ValueError, "The method %s was not found" % method_id
method(*args, **kw)
+ def _verifyObjectPaste(self, object, validate_src=1):
+ # To paste in an ERP5Type folder, we need to check 'Add permission'
+ # that might be defined on the sub object type information.
+ pt = getToolByName(self, 'portal_types')
+ subobject_type = pt.getTypeInfo(object)
+ if subobject_type is not None:
+ sm = getSecurityManager()
+ parent = aq_parent(aq_inner(object))
+
+ # check allowed content types
+ type_name = subobject_type.getId()
+ myType = pt.getTypeInfo(self)
+ if myType is not None and not myType.allowType(type_name):
+ raise ValueError('Disallowed subobject type: %s' % type_name)
+
+ # Check Add permission (ERPType addition)
+ add_permission = getattr(aq_base(subobject_type), 'permission', '')
+ if add_permission:
+ if not sm.checkPermission(add_permission, self):
+ raise AccessControl_Unauthorized, add_permission
+
+ # handle validate_src
+ if validate_src:
+ if not sm.validate(None, parent, None, object):
+ raise AccessControl_Unauthorized, object_id
+ if validate_src > 1:
+ if not sm.checkPermission(DeleteObjects, parent):
+ raise AccessControl_Unauthorized
+ # so far, everything OK
+ return
+
+ # if we haven't been able to validate, pass through to parent class
+ Folder.inheritedAttribute(
+ '_verifyObjectPaste')(self, object, validate_src)
+
# We browse all used class from btree and hbtree and set not implemented
# class if one method defined on a class is not defined on other, thus if
Modified: erp5/trunk/products/ERP5Type/tests/testERP5Type.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5Type/tests/testERP5Type.py?rev=34474&r1=34473&r2=34474&view=diff
==============================================================================
--- erp5/trunk/products/ERP5Type/tests/testERP5Type.py [utf8] (original)
+++ erp5/trunk/products/ERP5Type/tests/testERP5Type.py [utf8] Mon Apr 12 17:19:01 2010
@@ -2564,7 +2564,16 @@
container.manage_permission('Manage portal', ['Anonymous'], 0)
self.assertTrue(type_info in container.allowedContentTypes())
- container.newContent(portal_type='Test Add Permission Document')
+ doc = container.newContent(portal_type='Test Add Permission Document')
+
+ # we can also clone such documents only with the permission registered on
+ # the type information
+ copy_data = container.manage_copyObjects([doc.getId()])
+ container.manage_pasteObjects(copy_data)
+
+ container.manage_permission('Manage portal', [], 0)
+ self.assertRaises(Unauthorized, container.manage_pasteObjects, copy_data)
+
def testPropertyListWithMonoValuedProperty(self):
"""
More information about the Erp5-report
mailing list