[Zope-Checkins] SVN: Zope/trunk/ - LP #143403: Prevent accidental acquisition of objectValues during

Jens Vagelpohl jens at dataflake.org
Wed Jun 16 11:23:37 EDT 2010 

Log message for revision 113561:
  - LP #143403: Prevent accidental acquisition of objectValues during
    recursive ownership changes when the changed object has no
    objectValues method.
  

Changed:
  U   Zope/trunk/doc/CHANGES.rst
  U   Zope/trunk/src/AccessControl/Owned.py
  U   Zope/trunk/src/AccessControl/tests/testOwned.py

-=-
Modified: Zope/trunk/doc/CHANGES.rst
===================================================================
--- Zope/trunk/doc/CHANGES.rst	2010-06-16 15:20:30 UTC (rev 113560)
+++ Zope/trunk/doc/CHANGES.rst	2010-06-16 15:23:36 UTC (rev 113561)
@@ -181,6 +181,10 @@
 Bugs Fixed
 ++++++++++
 
+- LP #143403: Prevent accidental acquisition of objectValues during
+  recursive ownership changes when the changed object has no
+  objectValues method.
+
 - LP #142535: Fix faulty docstring for manage_changeProperties which
   incorrectly suggested that passing a simple dictionary as REQUEST
   argument was supported.

Modified: Zope/trunk/src/AccessControl/Owned.py
===================================================================
--- Zope/trunk/src/AccessControl/Owned.py	2010-06-16 15:20:30 UTC (rev 113560)
+++ Zope/trunk/src/AccessControl/Owned.py	2010-06-16 15:23:36 UTC (rev 113561)
@@ -166,7 +166,8 @@
                 return
 
         if recursive:
-            for child in self.objectValues():
+            children = getattr( aq_base(self), 'objectValues', lambda :() )()
+            for child in children:
                 child.changeOwnership(user, 1)
 
         if old is not UnownableOwner:

Modified: Zope/trunk/src/AccessControl/tests/testOwned.py
===================================================================
--- Zope/trunk/src/AccessControl/tests/testOwned.py	2010-06-16 15:20:30 UTC (rev 113560)
+++ Zope/trunk/src/AccessControl/tests/testOwned.py	2010-06-16 15:23:36 UTC (rev 113561)
@@ -273,7 +273,25 @@
                          , (['acl_users'], 'user2')
                          )
 
+    def test_changeOwnership_recursive_objectValues_acquisition(self):
+        # See https://bugs.launchpad.net/bugs/143403
+        from AccessControl.Owned import Owned
+        class FauxContent(Implicit, Owned):
+            pass
+        previous_parent_owner = self.root.parent._owner
+        previous_child_owner = self.root.parent.child._owner
+        previous_grandchild_owner = self.root.parent.child.grandchild._owner
+        newuser = self.uf.getUser('user2').__of__(self.uf)
+        self.root.parent.bad = FauxContent()
 
+        self.root.parent.bad.changeOwnership(newuser, recursive=True)
+        self.assertEquals(self.root.parent._owner, previous_parent_owner)
+        self.assertEquals(self.root.parent.child._owner, previous_child_owner)
+        self.assertEquals( self.root.parent.child.grandchild._owner
+                         , previous_grandchild_owner
+                         )
+
+
 def test_suite():
     return unittest.TestSuite((
         unittest.makeSuite(OwnedTests),

More information about the Zope-Checkins mailing list