honor class defined security for generated accessors.

git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@38378 20353a03-c40f-0410-a6d1-a30d3c3de9de

honor class defined security for generated accessors.
git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@38378 20353a03-c40f-0410-a6d1-a30d3c3de9de
e1c306ef · Jérome Perrin · 5e3a32ca · e1c306ef
Commit e1c306ef authored Sep 15, 2010 by Jérome Perrin
Hide whitespace changes
Inline Side-by-side

Showing with 19 additions and 6 deletions

product/ERP5Type/Accessor/Base.py product/ERP5Type/Accessor/Base.py +19 -6

No files found.
--- a/product/ERP5Type/Accessor/Base.py
+++ b/product/ERP5Type/Accessor/Base.py
@@ -106,15 +106,23 @@ class Setter(Method):
    class __roles__:
      @staticmethod
      def rolesForPermissionOn(ob):
+        im_self = ob.im_self
+        name = '%s__roles__' % ob.__name__
        # we explictly call _aq_dynamic to prevent acquiering the attribute
        # from container
-        roles = ob.im_self._aq_dynamic('%s__roles__' % ob.__name__)
+        roles = im_self._aq_dynamic(name)
        if roles is None:
-            return rolesForPermissionOn(None, ob.im_self, ('Manager',),
+            # lookup on the class, as getRoles gives priority to ob.__roles__
+            # over class.ob__roles__, this way we have an opportunity to define
+            # security on the class for generated methods.
+            class_role = getattr(im_self.__class__, name, im_self)
+            if class_role is not im_self:
+                return class_role
+            return rolesForPermissionOn(None, im_self, ('Manager',),
                                        '_Modify_portal_content_Permission')
        else:
            # wrap explicitly, because we used _aq_dynamic
-            return roles.__of__(ob.im_self)
+            return roles.__of__(im_self)


 from Products.CMFCore.Expression import Expression
@@ -183,15 +191,20 @@ class Getter(Method):
    class __roles__:
      @staticmethod
      def rolesForPermissionOn(ob):
+        im_self = ob.im_self
+        name = '%s__roles__' % ob.__name__
        # we explictly call _aq_dynamic to prevent acquiering the attribute
        # from container
-        roles = ob.im_self._aq_dynamic('%s__roles__' % ob.__name__)
+        roles = im_self._aq_dynamic(name)
        if roles is None:
-            return rolesForPermissionOn(None, ob.im_self, ('Manager',),
+            class_role = getattr(im_self.__class__, name, im_self)
+            if class_role is not im_self:
+                return class_role
+            return rolesForPermissionOn(None, im_self, ('Manager',),
                                        '_Access_contents_information_Permission')
        else:
            # wrap explicitly, because we used _aq_dynamic
-            return roles.__of__(ob.im_self)
+            return roles.__of__(im_self)


 class Tester(Method):