[Zope-Checkins] SVN: Zope/branches/2.12/ Fix a bug where resources in sub-directories of resource-directories would not be traversable via restrictedTraverse() due to missing security wrappings.

Martin Aspeli optilude at gmx.net
Fri Mar 26 08:39:59 EDT 2010 

Log message for revision 110185:
  Fix a bug where resources in sub-directories of resource-directories would not be traversable via restrictedTraverse() due to missing security wrappings.

Changed:
  U   Zope/branches/2.12/doc/CHANGES.rst
  U   Zope/branches/2.12/src/Products/Five/browser/resource.py
  U   Zope/branches/2.12/src/Products/Five/browser/tests/resource.txt

-=-
Modified: Zope/branches/2.12/doc/CHANGES.rst
===================================================================
--- Zope/branches/2.12/doc/CHANGES.rst	2010-03-25 16:37:17 UTC (rev 110184)
+++ Zope/branches/2.12/doc/CHANGES.rst	2010-03-26 12:39:58 UTC (rev 110185)
@@ -20,6 +20,10 @@
 Bugs Fixed
 ++++++++++
 
+- Zope 3-style resource directories would throw an Unauthorized error when
+  trying to use restrictedTraverse() to reach a resource in a sub-directory
+  of the resource directory.
+
 - Restore ability to traverse to 'macros' on template-based browser views.
 
 - Protect ZCTextIndex's clear method against storing Acquisition wrappers.

Modified: Zope/branches/2.12/src/Products/Five/browser/resource.py
===================================================================
--- Zope/branches/2.12/src/Products/Five/browser/resource.py	2010-03-25 16:37:17 UTC (rev 110184)
+++ Zope/branches/2.12/src/Products/Five/browser/resource.py	2010-03-26 12:39:58 UTC (rev 110185)
@@ -161,6 +161,11 @@
         resource = factory(name, filename)(self.request)
         resource.__name__ = name
         resource.__parent__ = self
+        
+        # We need to propagate security so that restrictedTraverse() will
+        # work
+        resource.__roles__ = self.__roles__
+        
         return resource
 
 class DirectoryResourceFactory(ResourceFactory):

Modified: Zope/branches/2.12/src/Products/Five/browser/tests/resource.txt
===================================================================
--- Zope/branches/2.12/src/Products/Five/browser/tests/resource.txt	2010-03-25 16:37:17 UTC (rev 110184)
+++ Zope/branches/2.12/src/Products/Five/browser/tests/resource.txt	2010-03-26 12:39:58 UTC (rev 110185)
@@ -69,7 +69,6 @@
   ...     if not isinstance(resource, PageTemplateResource):
   ...         self.assertEquals(resource(), base_url % r)
 
-
 Security
 --------
 
@@ -108,7 +107,15 @@
   ...     path = base % resource
   ...     checkRestricted(self.folder, 'context.restrictedTraverse("%s")' % path)
 
+Let's make sure restrictedTraverse() works directly, too. It used to get
+tripped up on subdirectories due to missing security declarations.
 
+  >>> self.folder.restrictedTraverse('++resource++fivetest_resources/resource.txt') is not None
+  True
+  
+  >>> self.folder.restrictedTraverse('++resource++fivetest_resources/resource_subdir/resource.txt') is not None
+  True
+
 Clean up
 --------

More information about the Zope-Checkins mailing list