[Zope-Checkins] CVS: Zope/lib/python/AccessControl - ZopeGuards.py:1.15 cAccessControl.c:1.19

Shane Hathaway shane@zope.com
Tue, 14 Jan 2003 10:03:39 -0500


Update of /cvs-repository/Zope/lib/python/AccessControl
In directory cvs.zope.org:/tmp/cvs-serv18630/AccessControl

Modified Files:
	ZopeGuards.py cAccessControl.c 
Log Message:
Denial of access to acquired attributes through guarded_getattr() should
result in an Unauthorized error rather than AttributeError.  Added a test
to ensure the bug stays fixed.


=== Zope/lib/python/AccessControl/ZopeGuards.py 1.14 => 1.15 ===
--- Zope/lib/python/AccessControl/ZopeGuards.py:1.14	Tue Dec 17 15:37:29 2002
+++ Zope/lib/python/AccessControl/ZopeGuards.py	Tue Jan 14 10:03:03 2003
@@ -55,7 +55,12 @@
             validate = getSecurityManager().validate
             # Filter out the objects we can't access.
             if hasattr(inst, 'aq_acquire'):
-                return inst.aq_acquire(name, aq_validate, validate)
+                try:
+                    return inst.aq_acquire(name, aq_validate, validate)
+                except AttributeError:
+                    # A denial of access was converted into an
+                    # AttributeError.  Convert it back.
+                    raise Unauthorized, name
             # Or just try to get the attribute directly.
             if validate(inst, inst, name, v):
                 return v


=== Zope/lib/python/AccessControl/cAccessControl.c 1.18 => 1.19 ===
--- Zope/lib/python/AccessControl/cAccessControl.c:1.18	Mon Dec 16 14:13:00 2002
+++ Zope/lib/python/AccessControl/cAccessControl.c	Tue Jan 14 10:03:05 2003
@@ -2011,12 +2011,24 @@
       /*
         # Filter out the objects we can't access.
         if hasattr(inst, 'aq_acquire'):
-            return inst.aq_acquire(name, aq_validate, validate)
+            try:
+                return inst.aq_acquire(name, aq_validate, validate)
+            except AttributeError:
+                # A denial of access was converted into an
+                # AttributeError.  Convert it back.
+                raise Unauthorized, name
        */
       if (aq_isWrapper(inst))
         {
-          ASSIGN(v, aq_Acquire(inst, name, aq_validate, validate, 1, NULL, 0));
-          return v;
+          t = aq_Acquire(inst, name, aq_validate, validate, 1, NULL, 0);
+          if (t == NULL && PyErr_Occurred() == PyExc_AttributeError)
+            {
+              PyErr_Clear();
+              unauthErr(name, v);
+              goto err;
+            }
+          Py_DECREF(v);
+          return t;
         }
 
       /*