Because ZopeSecurityPolicy.checkPermission() used User.has_role(), it did

not behave as expected. Permissions granted to Anonymous didn't necessarily get granted to other roles, for one thing. This is an issue especially for the CMF. User.allowed() is practically the same thing with the parameters reversed, so I changed checkPermission() to call User.allowed() instead. We should be able to deprecate User.has_role() now. I also implemented a minor (micro?) optimization by calling the aq_base module function instead of using getattr().

Because ZopeSecurityPolicy.checkPermission() used User.has_role(), it did
not behave as expected. Permissions granted to Anonymous didn't necessarily get granted to other roles, for one thing. This is an issue especially for the CMF. User.allowed() is practically the same thing with the parameters reversed, so I changed checkPermission() to call User.allowed() instead. We should be able to deprecate User.has_role() now. I also implemented a minor (micro?) optimization by calling the aq_base module function instead of using getattr().
958b76a4 · Shane Hathaway · 6053665c · 958b76a4 · 958b76a4
Commit 958b76a4 authored Jun 07, 2001 by Shane Hathaway
Show whitespace changes
Inline Side-by-side

Showing with 12 additions and 6 deletions

lib/python/AccessControl/User.py lib/python/AccessControl/User.py +3 -1

lib/python/AccessControl/ZopeSecurityPolicy.py lib/python/AccessControl/ZopeSecurityPolicy.py +9 -5

No files found.
--- a/lib/python/AccessControl/User.py
+++ b/lib/python/AccessControl/User.py
@@ -84,7 +84,7 @@
 ##############################################################################
 """Access control package"""

-__version__='$Revision: 1.151 $'[11:-2]
+__version__='$Revision: 1.152 $'[11:-2]

 import Globals, socket, SpecialUsers,re
 import os
@@ -245,6 +245,8 @@ class BasicUser(Implicit):
        """Check whether the user has access to object. The user must
           have one of the roles in object_roles to allow access."""

+        if object_roles is _what_not_even_god_should_do: return 0
+
        # Short-circuit the common case of anonymous access.
        if object_roles is None or 'Anonymous' in object_roles:
            return 1

--- a/lib/python/AccessControl/ZopeSecurityPolicy.py
+++ b/lib/python/AccessControl/ZopeSecurityPolicy.py
@@ -85,13 +85,16 @@
 __doc__='''Define Zope\'s default security policy


-$Id: ZopeSecurityPolicy.py,v 1.10 2001/04/27 20:27:37 shane Exp $'''
-__version__='$Revision: 1.10 $'[11:-2]
+$Id: ZopeSecurityPolicy.py,v 1.11 2001/06/07 22:36:43 shane Exp $'''
+__version__='$Revision: 1.11 $'[11:-2]
+
+from types import StringType

 import SimpleObjectPolicies
 from AccessControl import Unauthorized
 _noroles=SimpleObjectPolicies._noroles
 from zLOG import LOG, PROBLEM
+from Acquisition import aq_base

 from PermissionRole import _what_not_even_god_should_do, rolesForPermissionOn

@@ -112,7 +115,7 @@ class ZopeSecurityPolicy:
            if name[:3]=='aq_' and name not in valid_aq_:
                return 0

-        containerbase=getattr(container, 'aq_base', container)
+        containerbase = aq_base(container)
        accessedbase=getattr(accessed, 'aq_base', container)

        ############################################################
@@ -231,8 +234,9 @@ class ZopeSecurityPolicy:

    def checkPermission(self, permission, object, context):
        roles=rolesForPermissionOn(permission, object)
-        if roles is _what_not_even_god_should_do: return 0
-        return context.user.has_role(roles, object)
+        if type(roles) is StringType:
+            roles=[roles]
+        return context.user.allowed(object, roles)
    

 def cleanupName(name, value):