[CMF-checkins] CVS: CMF/DCWorkflow - Guard.py:1.7 Transitions.py:1.7 Variables.py:1.6 Worklists.py:1.7

Martijn Pieters mj@zope.com
Thu, 17 Oct 2002 15:31:01 -0400 

Update of /cvs-repository/CMF/DCWorkflow
In directory cvs.zope.org:/tmp/cvs-serv15466

Modified Files:
	Guard.py Transitions.py Variables.py Worklists.py 
Log Message:
Fix untrusted-code access to Guard information accessors.

- Make Guards inherit from Acquisition.Explicit

- Make sure Guards are always wrapped

- Add security declarations for the accessor methods.


=== CMF/DCWorkflow/Guard.py 1.6 => 1.7 ===
--- CMF/DCWorkflow/Guard.py:1.6	Thu Aug  1 15:05:14 2002
+++ CMF/DCWorkflow/Guard.py	Thu Oct 17 15:31:00 2002
@@ -21,6 +21,7 @@
 import Globals
 from Globals import DTMLFile, Persistent
 from AccessControl import ClassSecurityInfo
+from Acquisition import Explicit
 
 from Products.CMFCore.CMFCorePermissions import ManagePortal
 
@@ -28,7 +29,7 @@
 from utils import _dtmldir
 
 
-class Guard (Persistent):
+class Guard (Persistent, Explicit):
     permissions = ()
     roles = ()
     expr = None
@@ -70,6 +71,7 @@
                 return 0
         return 1
 
+    security.declareProtected(ManagePortal, 'getSummary')
     def getSummary(self):
         # Perhaps ought to be in DTML.
         res = []
@@ -125,16 +127,19 @@
             self.expr = Expression(s)
         return res
 
+    security.declareProtected(ManagePortal, 'getPermissionsText')
     def getPermissionsText(self):
         if not self.permissions:
             return ''
         return join(self.permissions, '; ')
 
+    security.declareProtected(ManagePortal, 'getRolesText')
     def getRolesText(self):
         if not self.roles:
             return ''
         return join(self.roles, '; ')
 
+    security.declareProtected(ManagePortal, 'getExprText')
     def getExprText(self):
         if not self.expr:
             return ''


=== CMF/DCWorkflow/Transitions.py 1.6 => 1.7 ===
--- CMF/DCWorkflow/Transitions.py:1.6	Thu Aug  1 15:05:14 2002
+++ CMF/DCWorkflow/Transitions.py	Thu Oct 17 15:31:00 2002
@@ -73,7 +73,7 @@
         if self.guard is not None:
             return self.guard
         else:
-            return Guard()  # Create a temporary guard.
+            return Guard().__of__(self)  # Create a temporary guard.
 
     def getVarExprText(self, id):
         if not self.var_exprs:


=== CMF/DCWorkflow/Variables.py 1.5 => 1.6 ===
--- CMF/DCWorkflow/Variables.py:1.5	Thu Aug  1 15:05:14 2002
+++ CMF/DCWorkflow/Variables.py	Thu Oct 17 15:31:00 2002
@@ -62,7 +62,7 @@
         if self.info_guard is not None:
             return self.info_guard
         else:
-            return Guard()  # Create a temporary guard.
+            return Guard().__of__(self)  # Create a temporary guard.
 
     def getInfoGuardSummary(self):
         res = None


=== CMF/DCWorkflow/Worklists.py 1.6 => 1.7 ===
--- CMF/DCWorkflow/Worklists.py:1.6	Tue Aug  6 09:28:29 2002
+++ CMF/DCWorkflow/Worklists.py	Thu Oct 17 15:31:00 2002
@@ -53,7 +53,7 @@
         if self.guard is not None:
             return self.guard
         else:
-            return Guard()  # Create a temporary guard.
+            return Guard().__of__(self)  # Create a temporary guard.
 
     def getGuardSummary(self):
         res = None