Commit c475f79c authored by Jérome Perrin's avatar Jérome Perrin

We cannot use aq_base on the object, because accessors security uses

_aq_dynamic. The problem is MethodName__roles__ can be acquired, so one
solution is to call _aq_dynamic explicitly to get MethodName__roles__



git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@25775 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent 23a9bbaa
...@@ -204,21 +204,27 @@ except ImportError: ...@@ -204,21 +204,27 @@ except ImportError:
class __roles__: class __roles__:
@staticmethod @staticmethod
def rolesForPermissionOn(ob): def rolesForPermissionOn(ob):
roles = getattr(aq_base(ob.im_self), '%s__roles__' % ob.__name__, None) # we explictly call _aq_dynamic to prevent acquiering the attribute
# from container
roles = ob.im_self._aq_dynamic('%s__roles__' % ob.__name__)
if roles is None: if roles is None:
return rolesForPermissionOn(None, ob.im_self, ('Manager',), return rolesForPermissionOn(None, ob.im_self, ('Manager',),
'_Modify_portal_content_Permission') '_Modify_portal_content_Permission')
else: else:
return roles # wrap explicitly, because we used _aq_dynamic
return roles.__of__(ob.im_self)
Setter.__roles__ = __roles__ Setter.__roles__ = __roles__
class __roles__: class __roles__:
@staticmethod @staticmethod
def rolesForPermissionOn(ob): def rolesForPermissionOn(ob):
roles = getattr(aq_base(ob.im_self), '%s__roles__' % ob.__name__, None) # we explictly call _aq_dynamic to prevent acquiering the attribute
# from container
roles = ob.im_self._aq_dynamic('%s__roles__' % ob.__name__)
if roles is None: if roles is None:
return rolesForPermissionOn(None, ob.im_self, ('Manager',), return rolesForPermissionOn(None, ob.im_self, ('Manager',),
'_Access_contents_information_Permission') '_Access_contents_information_Permission')
else: else:
return roles # wrap explicitly, because we used _aq_dynamic
return roles.__of__(ob.im_self)
Getter.__roles__ = __roles__ Getter.__roles__ = __roles__
...@@ -2467,6 +2467,15 @@ class TestPropertySheet: ...@@ -2467,6 +2467,15 @@ class TestPropertySheet:
obj._edit(foo_bar="v3") obj._edit(foo_bar="v3")
self.assertEqual(obj.getFooBar(), "v3") self.assertEqual(obj.getFooBar(), "v3")
def test_accessor_security_and_getTitle_acquisition(self):
obj = self.getOrganisationModule().newContent(portal_type='Organisation')
self.assertTrue(guarded_hasattr(obj, 'getTitle'))
# getTitle__roles__ is defined on ERP5Site class, so it can be acquired,
# and this would be wrong
obj.manage_permission(Permissions.View, [], 0)
obj.manage_permission(Permissions.AccessContentsInformation, [], 0)
self.assertFalse(guarded_hasattr(obj, 'getTitle'))
def test_AddPermission(self): def test_AddPermission(self):
# test "Add permission" on ERP5 Type Information # test "Add permission" on ERP5 Type Information
self.portal.portal_types.manage_addTypeInformation( self.portal.portal_types.manage_addTypeInformation(
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment