Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Z
Zope
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
Zope
Commits
c00164c0
Commit
c00164c0
authored
Dec 05, 2005
by
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
- reverted workaround in '_verifyObjectPaste'; 'checkPermission' now respects proxy roles
parent
665b04c9
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
61 additions
and
47 deletions
+61
-47
doc/CHANGES.txt
doc/CHANGES.txt
+5
-0
lib/python/OFS/CopySupport.py
lib/python/OFS/CopySupport.py
+44
-29
lib/python/OFS/tests/testCopySupport.py
lib/python/OFS/tests/testCopySupport.py
+12
-18
No files found.
doc/CHANGES.txt
View file @
c00164c0
...
...
@@ -26,6 +26,11 @@ Zope Changes
Bugs Fixed
- CopySupport: Reverted workaround in '_verifyObjectPaste'.
'checkPermission' now respects proxy roles, so the warkaround
introduced to fix http://www.zope.org/Collectors/Zope/78 is no longer
needed. Meta types listed in all_meta_types need a 'permission' key.
- Collector #1774: Harmonize the implementation of
AccessControl.ZopeSecurityPolicy.checkPermission
with 'validate', checking ownership and proxy roles if an
...
...
lib/python/OFS/CopySupport.py
View file @
c00164c0
...
...
@@ -19,6 +19,7 @@ import re, sys, tempfile
from
cgi
import
escape
from
marshal
import
loads
,
dumps
from
urllib
import
quote
,
unquote
from
warnings
import
warn
from
zlib
import
compress
,
decompress
import
Globals
,
Moniker
,
ExtensionClass
...
...
@@ -352,7 +353,7 @@ class CopyContainer(ExtensionClass.Base):
if
not
hasattr
(
object
,
'meta_type'
):
raise
CopyError
,
MessageDialog
(
title
=
'Not Supported'
,
message
=
(
'The object <
EM>%s</EM
> does not support this'
\
message
=
(
'The object <
em>%s</em
> does not support this'
\
' operation'
%
escape
(
absattr
(
object
.
id
))),
action
=
'manage_main'
)
...
...
@@ -372,34 +373,48 @@ class CopyContainer(ExtensionClass.Base):
mt_permission
=
d
.
get
(
'permission'
)
break
if
method_name
:
if
mt_permission
is
not
None
:
sm
=
getSecurityManager
()
if
sm
.
checkPermission
(
mt_permission
,
self
):
if
validate_src
:
# Ensure the user is allowed to access the object on the
# clipboard.
try
:
method
=
self
.
restrictedTraverse
(
method_name
)
# method_name is e.g.
# "manage_addProduct/PageTemplates/manage_addPageTemplateForm".
# restrictedTraverse will raise Unauthorized if it
# can't obtain the factory method by name due to a
# security restriction. We depend on this side effect
# here! Note that we use restrictedTraverse as
# opposed to checkPermission to take into account the
# special security circumstances related to proxy
# roles. See collector #78.
parent
=
aq_parent
(
aq_inner
(
object
))
except
:
parent
=
None
except
Unauthorized
:
if
mt_permission
:
if
not
sm
.
validate
(
None
,
parent
,
None
,
object
):
raise
Unauthorized
(
absattr
(
object
.
id
))
if
validate_src
==
2
:
# moving
if
not
sm
.
checkPermission
(
DeleteObjects
,
parent
):
raise
Unauthorized
(
'Delete not allowed.'
)
else
:
raise
CopyError
,
MessageDialog
(
title
=
'Insufficient Privileges'
,
message
=
(
'You do not possess the %s permission in the '
'context of the container into which you are '
'pasting, thus you are not able to perform '
'this operation.'
%
mt_permission
)
else
:
'this operation.'
%
mt_permission
),
action
=
'manage_main'
)
elif
method_name
:
# BBB: fallback for missing or None permission
warn
(
"The required 'permission' key is not set or None for meta "
"type '%s'. This fallback will be removed in Zope 2.9."
%
object
.
meta_type
,
DeprecationWarning
)
try
:
method
=
self
.
restrictedTraverse
(
method_name
)
except
Unauthorized
:
raise
CopyError
,
MessageDialog
(
title
=
'Insufficient Privileges'
,
message
=
(
'You do not possess the permission required '
'to call %s in the context of the container '
'into which you are pasting, thus you are not '
'able to perform this operation.'
%
method_name
)
raise
CopyError
,
MessageDialog
(
title
=
'Insufficient Privileges'
,
message
=
message
,
'able to perform this operation.'
%
method_name
),
action
=
'manage_main'
)
if
validate_src
:
...
...
@@ -420,10 +435,10 @@ class CopyContainer(ExtensionClass.Base):
if
not
sm
.
checkPermission
(
DeleteObjects
,
parent
):
raise
Unauthorized
,
'Delete not allowed.'
else
:
# /if method_name
else
:
raise
CopyError
,
MessageDialog
(
title
=
'Not Supported'
,
message
=
(
'The object <EM>%s</EM
> does not support this '
message
=
(
'The object <em>%s</em
> does not support this '
'operation.'
%
escape
(
absattr
(
object
.
id
))),
action
=
'manage_main'
)
...
...
lib/python/OFS/tests/testCopySupport.py
View file @
c00164c0
import
unittest
import
cStringIO
from
mimetools
import
Message
from
multifile
import
MultiFile
import
transaction
from
AccessControl
import
SecurityManager
from
AccessControl.SecurityManagement
import
newSecurityManager
from
AccessControl.SecurityManagement
import
noSecurityManager
from
Acquisition
import
Implicit
from
Acquisition
import
aq_base
from
Acquisition
import
Implicit
from
OFS.Application
import
Application
from
OFS.Folder
import
manage_addFolder
from
OFS.Image
import
manage_addFile
from
Testing.makerequest
import
makerequest
from
webdav.common
import
rfc1123_date
ADD_IMAGES_AND_FILES
=
'Add images and files'
...
...
@@ -478,10 +475,10 @@ class TestCopySupportSecurity( CopySupportTestBase ):
folder1
,
folder2
=
self
.
_initFolders
()
folder2
.
all_meta_types
=
FILE_META_TYPES
def
_no_
manage_addFile
(
a
,
c
,
n
,
v
,
*
args
,
**
kw
):
return
n
!=
'manage_addFile'
def
_no_
add_images_and_files
(
permission
,
object
,
context
):
return
permission
!=
ADD_IMAGES_AND_FILES
self
.
_initPolicyAndUser
(
v_lambda
=
_no_manage_addFile
)
self
.
_initPolicyAndUser
(
c_lambda
=
_no_add_images_and_files
)
cookie
=
folder1
.
manage_cutObjects
(
ids
=
(
'file'
,
)
)
self
.
_assertCopyErrorUnauth
(
folder2
.
manage_pasteObjects
...
...
@@ -518,8 +515,5 @@ def test_suite():
suite
.
addTest
(
unittest
.
makeSuite
(
TestCopySupportSecurity
)
)
return
suite
def
main
():
unittest
.
TextTestRunner
().
run
(
test_suite
())
if
__name__
==
'__main__'
:
main
(
)
unittest
.
main
(
defaultTest
=
'test_suite'
)
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment