[Zope-Checkins] CVS: Zope/lib/python/OFS - CopySupport.py:1.86
Chris McDonough
chrism at zope.com
Tue Sep 23 17:15:41 EDT 2003
Update of /cvs-repository/Zope/lib/python/OFS
In directory cvs.zope.org:/tmp/cvs-serv6805
Modified Files:
CopySupport.py
Log Message:
Collector 78: proxy roles aren't respected when calling manage_pasteObjects.
=== Zope/lib/python/OFS/CopySupport.py 1.85 => 1.86 ===
--- Zope/lib/python/OFS/CopySupport.py:1.85 Wed May 7 12:04:22 2003
+++ Zope/lib/python/OFS/CopySupport.py Tue Sep 23 17:15:41 2003
@@ -320,71 +320,74 @@
# existing context, such as checking an object during an import
# (the object will not yet have been connected to the acquisition
# heirarchy).
+
if not hasattr(object, 'meta_type'):
raise CopyError, MessageDialog(
- title='Not Supported',
- message='The object <EM>%s</EM> does not support this' \
- ' operation' % absattr(object.id),
- action='manage_main')
- mt=object.meta_type
+ title = 'Not Supported',
+ message = ('The object <EM>%s</EM> does not support this' \
+ ' operation' % absattr(object.id)),
+ action = 'manage_main')
+
if not hasattr(self, 'all_meta_types'):
raise CopyError, MessageDialog(
- title='Not Supported',
- message='Cannot paste into this object.',
- action='manage_main')
-
- method_name=None
- mt_permission=None
- meta_types=absattr(self.all_meta_types)
+ title = 'Not Supported',
+ message = 'Cannot paste into this object.',
+ action = 'manage_main')
+
+ method_name = None
+ mt_permission = None
+ meta_types = absattr(self.all_meta_types)
+
for d in meta_types:
- if d['name']==mt:
- method_name=d['action']
- mt_permission=d.get( 'permission', None )
+ if d['name'] == object.meta_type:
+ method_name = d['action']
+ mt_permission = d.get('permission')
break
- if mt_permission is not None:
- if getSecurityManager().checkPermission( mt_permission, self ):
- if not validate_src:
- return
- # Ensure the user is allowed to access the object on the
- # clipboard.
- try: parent=aq_parent(aq_inner(object))
- except: parent=None
- if getSecurityManager().validate(None, parent, None, object):
- return
- raise Unauthorized, absattr(object.id)
- else:
- raise Unauthorized(permission=mt_permission)
- #
- # XXX: Ancient cruft, left here in true co-dependent fashion
- # to keep from breaking old products which don't put
- # permissions on their metadata registry entries.
- #
- if method_name is not None:
- meth=self.unrestrictedTraverse(method_name)
- if hasattr(meth, 'im_self'):
- parent = meth.im_self
- else:
- try: parent=aq_parent(aq_inner(meth))
- except: parent=None
- if getSecurityManager().validate(None, parent, None, meth):
+ if method_name:
+ try:
+ method = self.restrictedTraverse(method_name)
+ # method_name is e.g.
+ # "manage_addProduct/PageTemplates/manage_addPageTemplateForm".
+ # restrictedTraverse will raise Unauthorized if it
+ # can't obtain the factory method by name due to a
+ # security restriction. We depend on this side effect
+ # here! Note that we use restrictedTraverse as
+ # opposed to checkPermission to take into account the
+ # special security circumstances related to proxy
+ # roles. See collector #78.
+
+ except Unauthorized:
+ if mt_permission:
+ message = ('You do not possess the %s permission in the '
+ 'context of the container into which you are '
+ 'pasting, thus you are not able to perform '
+ 'this operation.' % mt_permission)
+ else:
+ message = ('You do not possess the permission required '
+ 'to call %s in the context of the container '
+ 'into which you are pasting, thus you are not '
+ 'able to perform this operation.' % method_name)
+
+ raise CopyError, MessageDialog(
+ title = 'Insufficient Privileges',
+ message = message,
+ action = 'manage_main')
+
+ if validate_src:
# Ensure the user is allowed to access the object on the
# clipboard.
- if not validate_src:
- return
- try: parent=aq_parent(aq_inner(object))
- except: parent=None
- if getSecurityManager().validate(None, parent, None, object):
- return
- raise Unauthorized, absattr(object.id)
- else:
- raise Unauthorized, method_name
-
- raise CopyError, MessageDialog(
- title='Not Supported',
- message='The object <EM>%s</EM> does not support this ' \
- 'operation.' % absattr(object.id),
- action='manage_main')
+ try: parent = aq_parent(aq_inner(object))
+ except: parent = None
+ if not getSecurityManager().validate(None,parent,None,object):
+ raise Unauthorized, absattr(object.id)
+
+ else: # /if method_name
+ raise CopyError, MessageDialog(
+ title = 'Not Supported',
+ message = ('The object <EM>%s</EM> does not support this '
+ 'operation.' % absattr(object.id)),
+ action = 'manage_main')
Globals.default__class_init__(CopyContainer)
More information about the Zope-Checkins
mailing list