Fix a bug where resources in sub-directories of resource-directories would not...

Fix a bug where resources in sub-directories of resource-directories would not be traversable via restrictedTraverse() due to missing security wrappings.

doc/CHANGES.rst

@@ -20,6 +20,10 @@ Features Added
 Bugs Fixed
 ++++++++++
 
+- Zope 3-style resource directories would throw an Unauthorized error when
+  trying to use restrictedTraverse() to reach a resource in a sub-directory
+  of the resource directory.
+
 - Restore ability to traverse to 'macros' on template-based browser views.
 
 - Protect ZCTextIndex's clear method against storing Acquisition wrappers.

src/Products/Five/browser/resource.py

@@ -161,6 +161,11 @@ class DirectoryResource(Resource, directoryresource.DirectoryResource):
         resource = factory(name, filename)(self.request)
         resource.__name__ = name
         resource.__parent__ = self
+        
+        # We need to propagate security so that restrictedTraverse() will
+        # work
+        resource.__roles__ = self.__roles__
+        
         return resource
 
 class DirectoryResourceFactory(ResourceFactory):

src/Products/Five/browser/tests/resource.txt

@@ -69,7 +69,6 @@ PageTemplateResource's __call__ renders the template
   ...     if not isinstance(resource, PageTemplateResource):
   ...         self.assertEquals(resource(), base_url % r)
 
-
 Security
 --------
 
@@ -108,6 +107,14 @@ We can now view them all:
   ...     path = base % resource
   ...     checkRestricted(self.folder, 'context.restrictedTraverse("%s")' % path)
 
+Let's make sure restrictedTraverse() works directly, too. It used to get
+tripped up on subdirectories due to missing security declarations.
+
+  >>> self.folder.restrictedTraverse('++resource++fivetest_resources/resource.txt') is not None
+  True
+  
+  >>> self.folder.restrictedTraverse('++resource++fivetest_resources/resource_subdir/resource.txt') is not None
+  True
 
 Clean up
 --------