[Zope-Checkins] CVS: Zope/lib/python/OFS/tests - testTraverse.py:1.4

Shane Hathaway shane@cvs.zope.org
Thu, 12 Sep 2002 17:20:53 -0400 

Update of /cvs-repository/Zope/lib/python/OFS/tests
In directory cvs.zope.org:/tmp/cvs-serv14563/tests

Modified Files:
	testTraverse.py 
Log Message:
Resolution for bug #558: when restrictedTraverse() traverses using a
__bobo_traverse__ hook, and the hook returns an object that comes from
some other container, the security policy may incorrectly deny access.
This fix determines the container of the object based on its
aquisition wrappers, if available, and passes it to validate().

Also added a corresponding unit test.


=== Zope/lib/python/OFS/tests/testTraverse.py 1.3 => 1.4 ===
--- Zope/lib/python/OFS/tests/testTraverse.py:1.3	Wed Aug 14 17:41:16 2002
+++ Zope/lib/python/OFS/tests/testTraverse.py	Thu Sep 12 17:20:52 2002
@@ -1,10 +1,25 @@
-import os, sys, unittest
+##############################################################################
+#
+# Copyright (c) 2001, 2002 Zope Corporation and Contributors.
+# All Rights Reserved.
+#
+# This software is subject to the provisions of the Zope Public License,
+# Version 2.0 (ZPL).  A copy of the ZPL should accompany this distribution.
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED
+# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
+# FOR A PARTICULAR PURPOSE.
+#
+##############################################################################
 
+import os, sys, unittest
 import string, cStringIO, re
+
 import ZODB, Acquisition
 from OFS.Application import Application
 from OFS.Folder import manage_addFolder
 from OFS.Image import manage_addFile
+from OFS.SimpleItem import SimpleItem
 from Testing.makerequest import makerequest
 from AccessControl import SecurityManager
 from AccessControl.SecurityManagement import newSecurityManager
@@ -46,6 +61,17 @@
     def allowed( self, object, object_roles=None ):
         return 1
 
+
+class BoboTraversable(SimpleItem):
+    __allow_access_to_unprotected_subobjects__ = 1
+
+    def __bobo_traverse__(self, request, name):
+        if name == 'bb_subitem':
+            return BoboTraversable().__of__(self)
+        else:
+            raise KeyError
+
+
 def makeConnection():
     import ZODB
     from ZODB.DemoStorage import DemoStorage
@@ -126,6 +152,16 @@
         self.failUnlessRaises( KeyError, self.folder1.unrestrictedTraverse, ('', 'folder1', 'file2' ) )
         self.failUnlessRaises( KeyError, self.folder1.unrestrictedTraverse,  '/folder1/file2' )
         self.failUnlessRaises( KeyError, self.folder1.unrestrictedTraverse,  '/folder1/file2/' )
+
+    def testTraverseThroughBoboTraverse(self):
+        # Verify it's possible to use __bobo_traverse__ with the
+        # Zope security policy.
+        noSecurityManager()
+        SecurityManager.setSecurityPolicy( self.oldPolicy )
+        bb = BoboTraversable()
+        self.failUnlessRaises(KeyError, bb.restrictedTraverse, 'notfound')
+        bb.restrictedTraverse('bb_subitem')
+
 
 def test_suite():
     suite = unittest.TestSuite()