[CMF-checkins] SVN: CMF/trunk/CMFCore/ - CMFCore.utils: The return value from _mergedLocalRoles allowed

Jens Vagelpohl jens at dataflake.org
Fri Aug 26 04:02:07 EDT 2005 

Log message for revision 38100:
  - CMFCore.utils: The return value from _mergedLocalRoles allowed
    direct manipulation of objects' local role settings since it
    contained references to the actual values instead of copies.
    (http://www.zope.org/Collectors/CMF/376)
  

Changed:
  U   CMF/trunk/CMFCore/tests/test_utils.py
  U   CMF/trunk/CMFCore/utils.py

-=-
Modified: CMF/trunk/CMFCore/tests/test_utils.py
===================================================================
--- CMF/trunk/CMFCore/tests/test_utils.py	2005-08-26 08:01:26 UTC (rev 38099)
+++ CMF/trunk/CMFCore/tests/test_utils.py	2005-08-26 08:02:07 UTC (rev 38100)
@@ -100,7 +100,23 @@
             self.assertEqual( contributorsplitter({'Contributors': x}), 
                               ['foo', 'bar', 'baz'] )
 
+    def test_mergedLocalRolesManipulation(self):
+        # The _mergedLocalRoles function used to return references to
+        # actual local role settings and it was possible to manipulate them
+        # by changing the return value. http://www.zope.org/Collectors/CMF/376
+        from Products.CMFCore.tests.base.dummy import DummyContent
+        from Products.CMFCore.utils import _mergedLocalRoles
+        obj = DummyContent()
+        obj.manage_addLocalRoles('dummyuser1', ['Manager', 'Owner'])
+        self.assertEqual(len(obj.get_local_roles_for_userid('dummyuser1')), 2)
 
+        merged_roles = _mergedLocalRoles(obj)
+        merged_roles['dummyuser1'].append('FOO')
+
+        # The values on the object itself should still the the same
+        self.assertEqual(len(obj.get_local_roles_for_userid('dummyuser1')), 2)
+
+
 def test_suite():
     return TestSuite((
         makeSuite(CoreUtilsTests),

Modified: CMF/trunk/CMFCore/utils.py
===================================================================
--- CMF/trunk/CMFCore/utils.py	2005-08-26 08:01:26 UTC (rev 38099)
+++ CMF/trunk/CMFCore/utils.py	2005-08-26 08:02:07 UTC (rev 38100)
@@ -18,6 +18,7 @@
 from os import path as os_path
 from os.path import abspath
 import re
+from copy import deepcopy
 
 from AccessControl import ClassSecurityInfo
 from AccessControl import getSecurityManager
@@ -208,8 +209,9 @@
             object=getattr(object, 'aq_inner', object)
             continue
         break
-    return merged
 
+    return deepcopy(merged)
+
 security.declarePrivate('_ac_inherited_permissions')
 def _ac_inherited_permissions(ob, all=0):
     # Get all permissions not defined in ourself that are inherited

More information about the CMF-checkins mailing list