[Zope-Checkins] CVS: Zope/lib/python/Shared/DC/Scripts - Bindings.py:1.9.6.4

Mon Jan 26 15:27:43 EST 2004

Update of /cvs-repository/Zope/lib/python/Shared/DC/Scripts
In directory cvs.zope.org:/tmp/cvs-serv20721/lib/python/Shared/DC/Scripts

Modified Files:
      Tag: Zope-2_6-branch
	Bindings.py 
Log Message:



  - Shared/DC/Scripts/Bindings.py:

    o Make the UnauthorizedBinding object a "spacesuit", which delegates
      protected access to its wrapped object's attributes.  Note that this
      protection may be redundant, in the (normal) case where the
      context or container are accessed from restricted code;  however,
      we need to ensure that trusted code will still lose if it gets
      a space-suited value returned (from untrusted code).

  - AccessControl/test/testBindings.py:

    o Add a test which demonstrates that restricted code can access
      protected attributes, even without any access to the context object
      itself.

    o Expand tests of "raw" container / context access, to show that
      'return context' (for instance) or 'return str(context)' cannot
      be used inappropriately.


=== Zope/lib/python/Shared/DC/Scripts/Bindings.py 1.9.6.3 => 1.9.6.4 ===

--- Zope/lib/python/Shared/DC/Scripts/Bindings.py:1.9.6.3	Wed Jan 21 13:15:16 2004
+++ Zope/lib/python/Shared/DC/Scripts/Bindings.py	Mon Jan 26 15:27:43 2004
@@ -15,6 +15,7 @@
 
 import Globals
 from AccessControl import getSecurityManager
+from AccessControl.ZopeGuards import guarded_getattr
 from Persistence import Persistent
 from string import join, strip
 import re
@@ -161,19 +162,21 @@
        actually using the container binding (for ex. workflow scripts)
        need to take explicit action to fix existing sites."""
 
-    def __init__(self, name):
+    def __init__(self, name, wrapped):
         self._name = name
+        self._wrapped = wrapped
 
     __allow_access_to_unprotected_subobjects__ = 1
 
     def __getattr__(self, name, default=None):
-        name = self.__dict__['_name']
-        raise Unauthorized('Not authorized to access binding: %s' % name)
 
-    def __getitem__(self, key, default=None):
-        name = self.__dict__['_name']
-        raise Unauthorized('Not authorized to access binding: %s' % name)
+        # Make *extra* sure that the wrapper isn't used to access
+        # __call__, __str__, __repr__, etc.
+        if name.startswith('__'):
+            name = self.__dict__['_name']
+            raise Unauthorized('Not authorized to access binding: %s' % name)
 
+        return guarded_getattr(self._wrapped, name, default)
 
 class Bindings:
 
@@ -256,7 +259,7 @@
                 container = getattr(inner, 'aq_parent', None)
                 try: getSecurityManager().validate(parent, container, '', self)
                 except Unauthorized:
-                    return UnauthorizedBinding('context')
+                    return UnauthorizedBinding('context', self)
                 return self
 
     def _getContainer(self):
@@ -269,7 +272,7 @@
                 container = getattr(inner, 'aq_parent', None)
                 try: getSecurityManager().validate(parent, container, '', self)
                 except Unauthorized:
-                    return UnauthorizedBinding('container')
+                    return UnauthorizedBinding('container', self)
                 return self
 
     def _getTraverseSubpath(self):


