[Zope-Checkins] CVS: Zope2 - User.py:1.133.2.10
Brian Lloyd
brian@digiciool.com
Fri, 9 Mar 2001 12:20:35 -0500 (EST)
Update of /cvs-repository/Zope2/lib/python/AccessControl
In directory korak:/home/brian/temp/zope-23-branch/lib/python/AccessControl
Modified Files:
Tag: zope-2_3-branch
User.py
Log Message:
Fixed extra wrapping of users passed to authorize and added workaround for
broken aq_inContextOf for now.
--- Updated File User.py in package Zope2 --
--- User.py 2001/03/07 21:10:32 1.133.2.9
+++ User.py 2001/03/09 17:20:35 1.133.2.10
@@ -248,12 +248,17 @@
# Fail the access attempt. Otherwise
# this would be a security hole.
return None
- if not object.aq_inContextOf(ucontext, 1):
+ # -----------------------------------------------------
+ # FIXME: this is a workaround for broken aq_inContextOf
+ # -----------------------------------------------------
+ # if not object.aq_inContextOf(ucontext, 1):
+ if not isInContext(ucontext, object):
if 'Shared' in object_roles:
# Damn, old role setting. Waaa
object_roles=self._shared_roles(object)
if 'Anonymous' in object_roles: return 1
return None
+
# Note that if self were not wrapped, it would
# not be possible to determine the user's context
# and this method would return 1.
@@ -536,7 +541,8 @@
return None
def authorize(self, user, accessed, container, name, value, roles):
- newSecurityManager(None, user.__of__(self))
+ user = getattr(user, 'aq_base', user).__of__(self)
+ newSecurityManager(None, user)
security = getSecurityManager()
try:
try:
@@ -592,8 +598,7 @@
elif user is None:
# either we didn't find the username, or the user's password
# was incorrect. try to authorize and return the anonymous user.
- if self._isTop() and self.authorize(self._nobody.__of__(self),a,
- c,n,v,roles):
+ if self._isTop() and self.authorize(self._nobody, a,c,n,v,roles):
return self._nobody.__of__(self)
else:
# anonymous can't authorize or we're not top-level user folder
@@ -602,11 +607,10 @@
# We found a user, his password was correct, and the user
# wasn't the emergency user. We need to authorize the user
# against the published object.
- if self.authorize(user.__of__(self), a, c, n, v, roles):
+ if self.authorize(user, a, c, n, v, roles):
return user.__of__(self)
# That didn't work. Try to authorize the anonymous user.
- elif self._isTop() and self.authorize(self._nobody.__of__(self),
- a,c,n,v,roles):
+ elif self._isTop() and self.authorize(self._nobody,a,c,n,v,roles):
return self._nobody.__of__(self)
else:
# we can't authorize the user, and we either can't authorize
@@ -626,8 +630,7 @@
if self.authenticate(
user.getUserName(), '', request
):
- if self.authorize(user.__of__(self), a, c,
- n, v, roles):
+ if self.authorize(user, a, c, n, v, roles):
return user.__of__(self)
user = self.getUser(name)
@@ -645,7 +648,7 @@
elif user is None:
# we didn't find the username in this database
# try to authorize and return the anonymous user.
- if self._isTop() and self.authorize(self._nobody.__of__(self),
+ if self._isTop() and self.authorize(self._nobody,
a, c, n, v, roles):
return self._nobody.__of__(self)
else:
@@ -655,11 +658,11 @@
else:
# We found a user and the user wasn't the emergency user.
# We need to authorize the user against the published object.
- if self.authorize(user.__of__(self), a, c, n, v, roles):
+ if self.authorize(user, a, c, n, v, roles):
return user.__of__(self)
# That didn't work. Try to authorize the anonymous user.
elif self._isTop() and self.authorize(
- self._nobody.__of__(self), a, c, n, v, roles):
+ self._nobody, a, c, n, v, roles):
return self._nobody.__of__(self)
else:
# we can't authorize the user, and we either can't
@@ -1062,5 +1065,15 @@
def reqattr(request, attr):
try: return request[attr]
except: return None
+
+from Acquisition import aq_base, aq_inner, aq_parent
+def isInContext(fixed, variable):
+ fixed = aq_base(fixed)
+ while variable is not None:
+ v = aq_base(variable)
+ if v is fixed:
+ return 1
+ variable = aq_parent(aq_inner(variable))
+ return 0
Super = UnrestrictedUser # Note: use of the Super alias is deprecated.