Commit 4f697ba2 authored by Martin Aspeli's avatar Martin Aspeli

Fix a bug where resources in sub-directories of resource-directories would not...

Fix a bug where resources in sub-directories of resource-directories would not be traversable via restrictedTraverse() due to missing security wrappings.
parent a8beb6f3
...@@ -20,6 +20,10 @@ Features Added ...@@ -20,6 +20,10 @@ Features Added
Bugs Fixed Bugs Fixed
++++++++++ ++++++++++
- Zope 3-style resource directories would throw an Unauthorized error when
trying to use restrictedTraverse() to reach a resource in a sub-directory
of the resource directory.
- Restore ability to traverse to 'macros' on template-based browser views. - Restore ability to traverse to 'macros' on template-based browser views.
- Protect ZCTextIndex's clear method against storing Acquisition wrappers. - Protect ZCTextIndex's clear method against storing Acquisition wrappers.
......
...@@ -161,6 +161,11 @@ class DirectoryResource(Resource, directoryresource.DirectoryResource): ...@@ -161,6 +161,11 @@ class DirectoryResource(Resource, directoryresource.DirectoryResource):
resource = factory(name, filename)(self.request) resource = factory(name, filename)(self.request)
resource.__name__ = name resource.__name__ = name
resource.__parent__ = self resource.__parent__ = self
# We need to propagate security so that restrictedTraverse() will
# work
resource.__roles__ = self.__roles__
return resource return resource
class DirectoryResourceFactory(ResourceFactory): class DirectoryResourceFactory(ResourceFactory):
......
...@@ -69,7 +69,6 @@ PageTemplateResource's __call__ renders the template ...@@ -69,7 +69,6 @@ PageTemplateResource's __call__ renders the template
... if not isinstance(resource, PageTemplateResource): ... if not isinstance(resource, PageTemplateResource):
... self.assertEquals(resource(), base_url % r) ... self.assertEquals(resource(), base_url % r)
Security Security
-------- --------
...@@ -108,6 +107,14 @@ We can now view them all: ...@@ -108,6 +107,14 @@ We can now view them all:
... path = base % resource ... path = base % resource
... checkRestricted(self.folder, 'context.restrictedTraverse("%s")' % path) ... checkRestricted(self.folder, 'context.restrictedTraverse("%s")' % path)
Let's make sure restrictedTraverse() works directly, too. It used to get
tripped up on subdirectories due to missing security declarations.
>>> self.folder.restrictedTraverse('++resource++fivetest_resources/resource.txt') is not None
True
>>> self.folder.restrictedTraverse('++resource++fivetest_resources/resource_subdir/resource.txt') is not None
True
Clean up Clean up
-------- --------
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment