[Zope-Checkins] CVS: Zope/lib/python/OFS - PropertySheets.py:1.80.2.1

[Andreas Jung]

Update of /cvs-repository/Zope/lib/python/OFS
In directory cvs.zope.org:/tmp/cvs-serv21326/python/OFS

Modified Files:
      Tag: Zope-2_5-branch
	PropertySheets.py 
Log Message:
Added additional protection for webdav clients sending
a 'lockdiscovery' request without proper authorization. This fix checks
the authenticated user against the lock owner. If they don't match,
Zope will send a faked token back. This protection is mainly necessary
to procted Zope against the 'steal' command of cadaver.


=== Zope/lib/python/OFS/PropertySheets.py 1.80 => 1.80.2.1 ===
 from Traversable import Traversable
 from Acquisition import aq_base
+from AccessControl import getSecurityManager
 
 class View(App.Management.Tabs, Base):
     """A view of an object, typically used for management purposes
@@ -541,13 +542,24 @@
                '  </n:lockentry>\n  '
 
     def dav__lockdiscovery(self):
+        security = getSecurityManager()
+        user = security.getUser().getUserName()
+        
+
         vself = self.v_self()
         out = '\n'
         if WriteLockInterface.isImplementedBy(vself):
             locks = vself.wl_lockValues(killinvalids=1)
             for lock in locks:
-                out = '%s\n%s' % (out, lock.asLockDiscoveryProperty('n'))
+
+                creator = lock.getCreator()[-1]
+                if creator == user: fake=0
+                else:               fake=1
+                    
+                out = '%s\n%s' % (out, lock.asLockDiscoveryProperty('n',fake=fake))
+                
             out = '%s\n' % out
+
         return out