[Zope-Checkins] SVN: Zope/branches/Zope-2_8-branch/ - reverted
workaround in '_verifyObjectPaste';
'checkPermission' now respects proxy roles
Yvo Schubbe
y.2005- at wcm-solutions.de
Mon Dec 5 13:26:16 EST 2005
Log message for revision 40550:
- reverted workaround in '_verifyObjectPaste'; 'checkPermission' now respects proxy roles
Changed:
U Zope/branches/Zope-2_8-branch/doc/CHANGES.txt
U Zope/branches/Zope-2_8-branch/lib/python/OFS/CopySupport.py
U Zope/branches/Zope-2_8-branch/lib/python/OFS/tests/testCopySupport.py
-=-
Modified: Zope/branches/Zope-2_8-branch/doc/CHANGES.txt
===================================================================
--- Zope/branches/Zope-2_8-branch/doc/CHANGES.txt 2005-12-05 17:13:57 UTC (rev 40549)
+++ Zope/branches/Zope-2_8-branch/doc/CHANGES.txt 2005-12-05 18:26:15 UTC (rev 40550)
@@ -26,6 +26,11 @@
Bugs Fixed
+ - CopySupport: Reverted workaround in '_verifyObjectPaste'.
+ 'checkPermission' now respects proxy roles, so the warkaround
+ introduced to fix http://www.zope.org/Collectors/Zope/78 is no longer
+ needed. Meta types listed in all_meta_types need a 'permission' key.
+
- Collector #1774: Harmonize the implementation of
AccessControl.ZopeSecurityPolicy.checkPermission
with 'validate', checking ownership and proxy roles if an
Modified: Zope/branches/Zope-2_8-branch/lib/python/OFS/CopySupport.py
===================================================================
--- Zope/branches/Zope-2_8-branch/lib/python/OFS/CopySupport.py 2005-12-05 17:13:57 UTC (rev 40549)
+++ Zope/branches/Zope-2_8-branch/lib/python/OFS/CopySupport.py 2005-12-05 18:26:15 UTC (rev 40550)
@@ -19,6 +19,7 @@
from cgi import escape
from marshal import loads, dumps
from urllib import quote, unquote
+from warnings import warn
from zlib import compress, decompress
import Globals, Moniker, ExtensionClass
@@ -352,7 +353,7 @@
if not hasattr(object, 'meta_type'):
raise CopyError, MessageDialog(
title = 'Not Supported',
- message = ('The object <EM>%s</EM> does not support this' \
+ message = ('The object <em>%s</em> does not support this' \
' operation' % escape(absattr(object.id))),
action = 'manage_main')
@@ -372,36 +373,50 @@
mt_permission = d.get('permission')
break
- if method_name:
- try:
- method = self.restrictedTraverse(method_name)
- # method_name is e.g.
- # "manage_addProduct/PageTemplates/manage_addPageTemplateForm".
- # restrictedTraverse will raise Unauthorized if it
- # can't obtain the factory method by name due to a
- # security restriction. We depend on this side effect
- # here! Note that we use restrictedTraverse as
- # opposed to checkPermission to take into account the
- # special security circumstances related to proxy
- # roles. See collector #78.
+ if mt_permission is not None:
+ sm = getSecurityManager()
- except Unauthorized:
- if mt_permission:
+ if sm.checkPermission(mt_permission, self):
+ if validate_src:
+ # Ensure the user is allowed to access the object on the
+ # clipboard.
+ try:
+ parent = aq_parent(aq_inner(object))
+ except:
+ parent = None
+
+ if not sm.validate(None, parent, None, object):
+ raise Unauthorized(absattr(object.id))
+
+ if validate_src == 2: # moving
+ if not sm.checkPermission(DeleteObjects, parent):
+ raise Unauthorized('Delete not allowed.')
+ else:
+ raise CopyError, MessageDialog(
+ title = 'Insufficient Privileges',
message = ('You do not possess the %s permission in the '
'context of the container into which you are '
'pasting, thus you are not able to perform '
- 'this operation.' % mt_permission)
- else:
+ 'this operation.' % mt_permission),
+ action = 'manage_main')
+ elif method_name:
+ # BBB: fallback for missing or None permission
+ warn("The required 'permission' key is not set or None for meta "
+ "type '%s'. This fallback will be removed in Zope 2.9."
+ % object.meta_type,
+ DeprecationWarning)
+ try:
+ method = self.restrictedTraverse(method_name)
+ except Unauthorized:
+ raise CopyError, MessageDialog(
+ title = 'Insufficient Privileges',
message = ('You do not possess the permission required '
'to call %s in the context of the container '
'into which you are pasting, thus you are not '
- 'able to perform this operation.' % method_name)
+ 'able to perform this operation.'
+ % method_name),
+ action = 'manage_main')
- raise CopyError, MessageDialog(
- title = 'Insufficient Privileges',
- message = message,
- action = 'manage_main')
-
if validate_src:
sm = getSecurityManager()
@@ -420,12 +435,12 @@
if not sm.checkPermission(DeleteObjects, parent):
raise Unauthorized, 'Delete not allowed.'
- else: # /if method_name
+ else:
raise CopyError, MessageDialog(
- title = 'Not Supported',
- message = ('The object <EM>%s</EM> does not support this '
- 'operation.' % escape(absattr(object.id))),
- action = 'manage_main')
+ title = 'Not Supported',
+ message = ('The object <em>%s</em> does not support this '
+ 'operation.' % escape(absattr(object.id))),
+ action = 'manage_main')
Globals.default__class_init__(CopyContainer)
Modified: Zope/branches/Zope-2_8-branch/lib/python/OFS/tests/testCopySupport.py
===================================================================
--- Zope/branches/Zope-2_8-branch/lib/python/OFS/tests/testCopySupport.py 2005-12-05 17:13:57 UTC (rev 40549)
+++ Zope/branches/Zope-2_8-branch/lib/python/OFS/tests/testCopySupport.py 2005-12-05 18:26:15 UTC (rev 40550)
@@ -1,19 +1,16 @@
import unittest
import cStringIO
-from mimetools import Message
-from multifile import MultiFile
import transaction
from AccessControl import SecurityManager
from AccessControl.SecurityManagement import newSecurityManager
from AccessControl.SecurityManagement import noSecurityManager
-from Acquisition import Implicit
from Acquisition import aq_base
+from Acquisition import Implicit
from OFS.Application import Application
from OFS.Folder import manage_addFolder
from OFS.Image import manage_addFile
from Testing.makerequest import makerequest
-from webdav.common import rfc1123_date
ADD_IMAGES_AND_FILES = 'Add images and files'
@@ -334,7 +331,7 @@
except CopyError, e:
if ce_regex is not None:
-
+
pattern = re.compile( ce_regex, re.DOTALL )
if pattern.search( e ) is None:
self.fail( "Paste failed; didn't match pattern:\n%s" % e )
@@ -348,7 +345,7 @@
else:
self.fail( "Paste allowed unexpectedly." )
- def _initPolicyAndUser( self
+ def _initPolicyAndUser( self
, a_lambda=None
, v_lambda=None
, c_lambda=None
@@ -406,7 +403,7 @@
)
def test_copy_cant_create_target_metatype_not_supported( self ):
-
+
from OFS.CopySupport import CopyError
folder1, folder2 = self._initFolders()
@@ -437,7 +434,7 @@
self.failUnless( 'file' in folder2.objectIds() )
def test_move_cant_read_source( self ):
-
+
from OFS.CopySupport import CopyError
folder1, folder2 = self._initFolders()
@@ -457,7 +454,7 @@
)
def test_move_cant_create_target_metatype_not_supported( self ):
-
+
from OFS.CopySupport import CopyError
folder1, folder2 = self._initFolders()
@@ -472,16 +469,16 @@
)
def test_move_cant_create_target_metatype_not_allowed( self ):
-
+
from OFS.CopySupport import CopyError
folder1, folder2 = self._initFolders()
folder2.all_meta_types = FILE_META_TYPES
- def _no_manage_addFile( a, c, n, v, *args, **kw ):
- return n != 'manage_addFile'
+ def _no_add_images_and_files(permission, object, context):
+ return permission != ADD_IMAGES_AND_FILES
- self._initPolicyAndUser( v_lambda=_no_manage_addFile )
+ self._initPolicyAndUser( c_lambda=_no_add_images_and_files )
cookie = folder1.manage_cutObjects( ids=( 'file', ) )
self._assertCopyErrorUnauth( folder2.manage_pasteObjects
@@ -491,7 +488,7 @@
)
def test_move_cant_delete_source( self ):
-
+
from OFS.CopySupport import CopyError
from AccessControl.Permissions import delete_objects as DeleteObjects
@@ -518,8 +515,5 @@
suite.addTest( unittest.makeSuite( TestCopySupportSecurity ) )
return suite
-def main():
- unittest.TextTestRunner().run(test_suite())
-
if __name__ == '__main__':
- main()
+ unittest.main(defaultTest='test_suite')
More information about the Zope-Checkins
mailing list