[Zope-Checkins] SVN: Zope/trunk/ Make ObjectManager's ``get`` and ``__getitem__`` return only "items".

Tres Seaver tseaver at palladion.com
Tue Feb 14 19:04:29 UTC 2012


Log message for revision 124395:
  Make ObjectManager's ``get`` and ``__getitem__`` return only "items".
  
  No longer return attributes / methods from the class or from acquisition.
  Thanks to Richard Mitchell at Netsight for the report.
  
  

Changed:
  U   Zope/trunk/doc/CHANGES.rst
  U   Zope/trunk/src/OFS/ObjectManager.py
  U   Zope/trunk/src/OFS/tests/testApplication.py
  U   Zope/trunk/src/OFS/tests/testObjectManager.py

-=-
Modified: Zope/trunk/doc/CHANGES.rst
===================================================================
--- Zope/trunk/doc/CHANGES.rst	2012-02-14 19:04:05 UTC (rev 124394)
+++ Zope/trunk/doc/CHANGES.rst	2012-02-14 19:04:29 UTC (rev 124395)
@@ -11,6 +11,10 @@
 Bugs Fixed
 ++++++++++
 
+- Ensure that ObjectManager's ``get`` and ``__getitem__`` methods return only
+  "items" (no attributes / methods from the class or from acquisition).
+  Thanks to Richard Mitchell at Netsight for the report.
+
 - Removed HTML tags from exception text of ``Unauthorized`` exception
   because these tags get escaped since CVE-2010-1104 (see 2.13.12) got
   fixed.

Modified: Zope/trunk/src/OFS/ObjectManager.py
===================================================================
--- Zope/trunk/src/OFS/ObjectManager.py	2012-02-14 19:04:05 UTC (rev 124394)
+++ Zope/trunk/src/OFS/ObjectManager.py	2012-02-14 19:04:29 UTC (rev 124395)
@@ -23,6 +23,7 @@
 import re
 import sys
 import time
+from types import NoneType
 
 from AccessControl import ClassSecurityInfo
 from AccessControl.class_init import InitializeClass
@@ -757,12 +758,13 @@
         return self.manage_delObjects(ids=[name])
 
     def __getitem__(self, key):
-        v=self._getOb(key, None)
-        if v is not None: return v
-        if hasattr(self, 'REQUEST'):
-            request=self.REQUEST
+        if key in self:
+            return self._getOb(key, None)
+        request = getattr(self, 'REQUEST', None)
+        if not isinstance(request, (str, NoneType)):
             method=request.get('REQUEST_METHOD', 'GET')
-            if request.maybe_webdav_client and not method in ('GET', 'POST'):
+            if (request.maybe_webdav_client and
+                method not in ('GET', 'POST')):
                 return NullResource(self, key, request).__of__(self)
         raise KeyError, key
 
@@ -783,7 +785,9 @@
 
     security.declareProtected(access_contents_information, 'get')
     def get(self, key, default=None):
-        return self._getOb(key, default)
+        if key in self:
+            return self._getOb(key, default)
+        return default
 
     security.declareProtected(access_contents_information, 'keys')
     def keys(self):

Modified: Zope/trunk/src/OFS/tests/testApplication.py
===================================================================
--- Zope/trunk/src/OFS/tests/testApplication.py	2012-02-14 19:04:05 UTC (rev 124394)
+++ Zope/trunk/src/OFS/tests/testApplication.py	2012-02-14 19:04:29 UTC (rev 124395)
@@ -57,6 +57,7 @@
     def test___bobo_traverse__attribute_miss_key_hit(self):
         app = self._makeOne()
         app._getOb = lambda x, y: x
+        app._objects = [{'id': 'OTHER', 'meta_type': None}]
         request = {}
         self.assertEqual(app.__bobo_traverse__(request, 'OTHER'), 'OTHER')
 

Modified: Zope/trunk/src/OFS/tests/testObjectManager.py
===================================================================
--- Zope/trunk/src/OFS/tests/testObjectManager.py	2012-02-14 19:04:05 UTC (rev 124394)
+++ Zope/trunk/src/OFS/tests/testObjectManager.py	2012-02-14 19:04:29 UTC (rev 124395)
@@ -412,6 +412,22 @@
         om = self._makeOne()
         self.assertTrue(om)
 
+    def test___getitem___miss(self):
+        om = self._makeOne()
+        self.assertRaises(KeyError, om.__getitem__, 'nonesuch')
+
+    def test___getitem___miss_w_non_instance_attr(self):
+        om = self._makeOne()
+        self.assertRaises(KeyError, om.__getitem__, 'get')
+
+    def test___getitem___hit(self):
+        om = self._makeOne()
+        si1 = SimpleItem('1')
+        om['1'] = si1
+        got = om['1']
+        self.assertTrue(got.aq_self is si1)
+        self.assertTrue(got.aq_parent is om)
+
     def test_get_miss_wo_default(self):
         om = self._makeOne()
         self.assertEqual(om.get('nonesuch'), None)
@@ -421,6 +437,10 @@
         obj = object()
         self.assertTrue(om.get('nonesuch', obj) is obj)
 
+    def test_get_miss_w_non_instance_attr(self):
+        om = self._makeOne()
+        self.assertEqual(om.get('get'), None)
+
     def test_get_hit(self):
         om = self._makeOne()
         si1 = SimpleItem('1')



More information about the Zope-Checkins mailing list