[CMF-checkins] SVN: CMF/branches/2.0/C Issue #380: Use proxy roles, when applicable, rather than user's roles.

Tres Seaver tseaver at palladion.com
Mon Sep 4 17:15:58 EDT 2006 

Log message for revision 69961:
  Issue #380: Use proxy roles, when applicable, rather than user's roles.

Changed:
  U   CMF/branches/2.0/CHANGES.txt
  U   CMF/branches/2.0/CMFCore/CatalogTool.py
  U   CMF/branches/2.0/CMFCore/tests/test_CatalogTool.py

-=-
Modified: CMF/branches/2.0/CHANGES.txt
===================================================================
--- CMF/branches/2.0/CHANGES.txt	2006-09-04 19:25:26 UTC (rev 69960)
+++ CMF/branches/2.0/CHANGES.txt	2006-09-04 21:15:57 UTC (rev 69961)
@@ -2,6 +2,10 @@
 
   Bug Fixes
 
+    - CMFCore.CatalogTool: Use current executable's proxy roles, if any,
+      in place of user's roles when computing 'allowedRolesAndUsers' for
+      a query.
+
     - CMFCore.FSDTMLMethod: Add class-default '_owner', to prevent unintended
       acquisition of ownership (http://www.zope.org/Collectors/CMF/450)
 

Modified: CMF/branches/2.0/CMFCore/CatalogTool.py
===================================================================
--- CMF/branches/2.0/CMFCore/CatalogTool.py	2006-09-04 19:25:26 UTC (rev 69960)
+++ CMF/branches/2.0/CMFCore/CatalogTool.py	2006-09-04 21:15:57 UTC (rev 69961)
@@ -16,6 +16,7 @@
 """
 
 from AccessControl import ClassSecurityInfo
+from AccessControl import getSecurityManager
 from AccessControl.PermissionRole import rolesForPermissionOn
 from Acquisition import aq_base
 from DateTime import DateTime
@@ -143,7 +144,14 @@
     #
 
     def _listAllowedRolesAndUsers(self, user):
-        result = list( user.getRoles() )
+        effective_roles = user.getRoles()
+        sm = getSecurityManager()
+        if sm.calledByExecutable():
+            eo = sm._context.stack[-1]
+            proxy_roles = getattr(eo, '_proxy_roles', None)
+            if proxy_roles is not None:
+                effective_roles = proxy_roles
+        result = list( effective_roles )
         result.append( 'Anonymous' )
         result.append( 'user:%s' % user.getId() )
         return result

Modified: CMF/branches/2.0/CMFCore/tests/test_CatalogTool.py
===================================================================
--- CMF/branches/2.0/CMFCore/tests/test_CatalogTool.py	2006-09-04 19:25:26 UTC (rev 69960)
+++ CMF/branches/2.0/CMFCore/tests/test_CatalogTool.py	2006-09-04 21:15:57 UTC (rev 69961)
@@ -19,6 +19,7 @@
 import Testing
 
 from AccessControl.SecurityManagement import newSecurityManager
+from AccessControl.SecurityManagement import noSecurityManager
 from DateTime import DateTime
 
 from Products.CMFCore.tests.base.dummy import DummyContent
@@ -127,6 +128,13 @@
         user = OmnipotentUser().__of__(self.root)
         newSecurityManager(None, user)
 
+    def setupProxyRoles(self, *proxy_roles):
+        from AccessControl import getSecurityManager
+        class FauxExecutable:
+            _proxy_roles = proxy_roles
+        sm = getSecurityManager()
+        sm.addContext(FauxExecutable())
+
     def test_processActions(self):
         """
             Tracker #405:  CatalogTool doesn't accept optional third
@@ -148,6 +156,56 @@
         self.assertEqual(1, len(catalog._catalog.searchResults()))
         self.assertEqual(0, len(catalog.searchResults()))
 
+    def test_search_member_with_valid_roles(self):
+        catalog = self._makeOne()
+        catalog.addIndex('allowedRolesAndUsers', 'KeywordIndex')
+        dummy = DummyContent(catalog=1)
+        dummy._View_Permission = ('Blob',)
+        catalog.catalog_object(dummy, '/dummy')
+
+        self.loginWithRoles('Blob')
+
+        self.assertEqual(1, len(catalog._catalog.searchResults()))
+        self.assertEqual(1, len(catalog.searchResults()))
+
+    def test_search_member_with_valid_roles_but_proxy_roles_limit(self):
+        catalog = self._makeOne()
+        catalog.addIndex('allowedRolesAndUsers', 'KeywordIndex')
+        dummy = DummyContent(catalog=1)
+        dummy._View_Permission = ('Blob',)
+        catalog.catalog_object(dummy, '/dummy')
+
+        self.loginWithRoles('Blob')
+        self.setupProxyRoles('Waggle')
+
+        self.assertEqual(1, len(catalog._catalog.searchResults()))
+        self.assertEqual(0, len(catalog.searchResults()))
+
+    def test_search_member_wo_valid_roles(self):
+        catalog = self._makeOne()
+        catalog.addIndex('allowedRolesAndUsers', 'KeywordIndex')
+        dummy = DummyContent(catalog=1)
+        dummy._View_Permission = ('Blob',)
+        catalog.catalog_object(dummy, '/dummy')
+
+        self.loginWithRoles('Waggle')
+
+        self.assertEqual(1, len(catalog._catalog.searchResults()))
+        self.assertEqual(0, len(catalog.searchResults()))
+
+    def test_search_member_wo_valid_roles_but_proxy_roles_allow(self):
+        catalog = self._makeOne()
+        catalog.addIndex('allowedRolesAndUsers', 'KeywordIndex')
+        dummy = DummyContent(catalog=1)
+        dummy._View_Permission = ('Blob',)
+        catalog.catalog_object(dummy, '/dummy')
+
+        self.loginWithRoles('Waggle')
+        self.setupProxyRoles('Blob')
+
+        self.assertEqual(1, len(catalog._catalog.searchResults()))
+        self.assertEqual(1, len(catalog.searchResults()))
+
     def test_search_inactive(self):
         catalog = self._makeOne()
         catalog.addIndex('allowedRolesAndUsers', 'KeywordIndex')

More information about the CMF-checkins mailing list