[Zope3-checkins] CVS: Zope3/src/zope/app/contentdirective - contentdirective.py:1.4

Fri, 10 Jan 2003 09:06:59 -0500

Update of /cvs-repository/Zope3/src/zope/app/contentdirective
In directory cvs.zope.org:/tmp/cvs-serv27546

Modified Files:
	contentdirective.py 
Log Message:
Bug: <factory> configuration directive with permission="zope.Public" was
equivalent to one with no permission at all, and thus not accessible from
untrusted code.

Added a unit test to reproduce this and a bug fix.  Could someone familiar with
the code check it?  SteveA had some reservations about whether the directive
itself should perform security wrapping.



=== Zope3/src/zope/app/contentdirective/contentdirective.py 1.3 => 1.4 ===

--- Zope3/src/zope/app/contentdirective/contentdirective.py:1.3	Mon Dec 30 21:51:57 2002
+++ Zope3/src/zope/app/contentdirective/contentdirective.py	Fri Jan 10 09:06:27 2003
@@ -27,7 +27,7 @@
     import protectLikeUnto, protectName, checkPermission, protectSetAttribute
 from zope.app.security.registries.permissionregistry import permissionRegistry
 from zope.security.proxy import ProxyFactory
-from zope.security.checker import NamesChecker
+from zope.security.checker import NamesChecker, CheckerPublic
 from zope.schema.interfaces import IField
 
 PublicPermission = 'zope.Public'
@@ -197,7 +197,11 @@
 
     assertPermission(permission)
     factory = ClassFactory(_class)
-    if permission and (permission != 'zope.Public'):
+
+    if permission == PublicPermission:
+        permission = CheckerPublic
+
+    if permission:
         # XXX should getInterfaces be public, as below?
         factory = ProxyFactory(factory,
                                NamesChecker(('getInterfaces',),



