[CMF-checkins] CVS: CMF/DCWorkflow - Guard.py:1.7 Transitions.py:1.7 Variables.py:1.6 Worklists.py:1.7
Martijn Pieters
mj@zope.com
Thu, 17 Oct 2002 15:31:01 -0400
Update of /cvs-repository/CMF/DCWorkflow
In directory cvs.zope.org:/tmp/cvs-serv15466
Modified Files:
Guard.py Transitions.py Variables.py Worklists.py
Log Message:
Fix untrusted-code access to Guard information accessors.
- Make Guards inherit from Acquisition.Explicit
- Make sure Guards are always wrapped
- Add security declarations for the accessor methods.
=== CMF/DCWorkflow/Guard.py 1.6 => 1.7 ===
--- CMF/DCWorkflow/Guard.py:1.6 Thu Aug 1 15:05:14 2002
+++ CMF/DCWorkflow/Guard.py Thu Oct 17 15:31:00 2002
@@ -21,6 +21,7 @@
import Globals
from Globals import DTMLFile, Persistent
from AccessControl import ClassSecurityInfo
+from Acquisition import Explicit
from Products.CMFCore.CMFCorePermissions import ManagePortal
@@ -28,7 +29,7 @@
from utils import _dtmldir
-class Guard (Persistent):
+class Guard (Persistent, Explicit):
permissions = ()
roles = ()
expr = None
@@ -70,6 +71,7 @@
return 0
return 1
+ security.declareProtected(ManagePortal, 'getSummary')
def getSummary(self):
# Perhaps ought to be in DTML.
res = []
@@ -125,16 +127,19 @@
self.expr = Expression(s)
return res
+ security.declareProtected(ManagePortal, 'getPermissionsText')
def getPermissionsText(self):
if not self.permissions:
return ''
return join(self.permissions, '; ')
+ security.declareProtected(ManagePortal, 'getRolesText')
def getRolesText(self):
if not self.roles:
return ''
return join(self.roles, '; ')
+ security.declareProtected(ManagePortal, 'getExprText')
def getExprText(self):
if not self.expr:
return ''
=== CMF/DCWorkflow/Transitions.py 1.6 => 1.7 ===
--- CMF/DCWorkflow/Transitions.py:1.6 Thu Aug 1 15:05:14 2002
+++ CMF/DCWorkflow/Transitions.py Thu Oct 17 15:31:00 2002
@@ -73,7 +73,7 @@
if self.guard is not None:
return self.guard
else:
- return Guard() # Create a temporary guard.
+ return Guard().__of__(self) # Create a temporary guard.
def getVarExprText(self, id):
if not self.var_exprs:
=== CMF/DCWorkflow/Variables.py 1.5 => 1.6 ===
--- CMF/DCWorkflow/Variables.py:1.5 Thu Aug 1 15:05:14 2002
+++ CMF/DCWorkflow/Variables.py Thu Oct 17 15:31:00 2002
@@ -62,7 +62,7 @@
if self.info_guard is not None:
return self.info_guard
else:
- return Guard() # Create a temporary guard.
+ return Guard().__of__(self) # Create a temporary guard.
def getInfoGuardSummary(self):
res = None
=== CMF/DCWorkflow/Worklists.py 1.6 => 1.7 ===
--- CMF/DCWorkflow/Worklists.py:1.6 Tue Aug 6 09:28:29 2002
+++ CMF/DCWorkflow/Worklists.py Thu Oct 17 15:31:00 2002
@@ -53,7 +53,7 @@
if self.guard is not None:
return self.guard
else:
- return Guard() # Create a temporary guard.
+ return Guard().__of__(self) # Create a temporary guard.
def getGuardSummary(self):
res = None