Commit c6446fe3 authored by Chris McDonough's avatar Chris McDonough

Collector 78: proxy roles aren't respected when calling manage_pasteObjects.

parent 28f9618a
...@@ -11,7 +11,7 @@ ...@@ -11,7 +11,7 @@
# #
############################################################################## ##############################################################################
__doc__="""Copy interface""" __doc__="""Copy interface"""
__version__='$Revision: 1.85 $'[11:-2] __version__='$Revision: 1.86 $'[11:-2]
import sys, Globals, Moniker, tempfile, ExtensionClass import sys, Globals, Moniker, tempfile, ExtensionClass
from marshal import loads, dumps from marshal import loads, dumps
...@@ -320,71 +320,74 @@ class CopyContainer(ExtensionClass.Base): ...@@ -320,71 +320,74 @@ class CopyContainer(ExtensionClass.Base):
# existing context, such as checking an object during an import # existing context, such as checking an object during an import
# (the object will not yet have been connected to the acquisition # (the object will not yet have been connected to the acquisition
# heirarchy). # heirarchy).
if not hasattr(object, 'meta_type'): if not hasattr(object, 'meta_type'):
raise CopyError, MessageDialog( raise CopyError, MessageDialog(
title='Not Supported', title = 'Not Supported',
message='The object <EM>%s</EM> does not support this' \ message = ('The object <EM>%s</EM> does not support this' \
' operation' % absattr(object.id), ' operation' % absattr(object.id)),
action='manage_main') action = 'manage_main')
mt=object.meta_type
if not hasattr(self, 'all_meta_types'): if not hasattr(self, 'all_meta_types'):
raise CopyError, MessageDialog( raise CopyError, MessageDialog(
title='Not Supported', title = 'Not Supported',
message='Cannot paste into this object.', message = 'Cannot paste into this object.',
action='manage_main') action = 'manage_main')
method_name = None
mt_permission = None
meta_types = absattr(self.all_meta_types)
method_name=None
mt_permission=None
meta_types=absattr(self.all_meta_types)
for d in meta_types: for d in meta_types:
if d['name']==mt: if d['name'] == object.meta_type:
method_name=d['action'] method_name = d['action']
mt_permission=d.get( 'permission', None ) mt_permission = d.get('permission')
break break
if mt_permission is not None: if method_name:
if getSecurityManager().checkPermission( mt_permission, self ): try:
if not validate_src: method = self.restrictedTraverse(method_name)
return # method_name is e.g.
# Ensure the user is allowed to access the object on the # "manage_addProduct/PageTemplates/manage_addPageTemplateForm".
# clipboard. # restrictedTraverse will raise Unauthorized if it
try: parent=aq_parent(aq_inner(object)) # can't obtain the factory method by name due to a
except: parent=None # security restriction. We depend on this side effect
if getSecurityManager().validate(None, parent, None, object): # here! Note that we use restrictedTraverse as
return # opposed to checkPermission to take into account the
raise Unauthorized, absattr(object.id) # special security circumstances related to proxy
# roles. See collector #78.
except Unauthorized:
if mt_permission:
message = ('You do not possess the %s permission in the '
'context of the container into which you are '
'pasting, thus you are not able to perform '
'this operation.' % mt_permission)
else: else:
raise Unauthorized(permission=mt_permission) message = ('You do not possess the permission required '
# 'to call %s in the context of the container '
# XXX: Ancient cruft, left here in true co-dependent fashion 'into which you are pasting, thus you are not '
# to keep from breaking old products which don't put 'able to perform this operation.' % method_name)
# permissions on their metadata registry entries.
# raise CopyError, MessageDialog(
if method_name is not None: title = 'Insufficient Privileges',
meth=self.unrestrictedTraverse(method_name) message = message,
if hasattr(meth, 'im_self'): action = 'manage_main')
parent = meth.im_self
else: if validate_src:
try: parent=aq_parent(aq_inner(meth))
except: parent=None
if getSecurityManager().validate(None, parent, None, meth):
# Ensure the user is allowed to access the object on the # Ensure the user is allowed to access the object on the
# clipboard. # clipboard.
if not validate_src: try: parent = aq_parent(aq_inner(object))
return except: parent = None
try: parent=aq_parent(aq_inner(object)) if not getSecurityManager().validate(None,parent,None,object):
except: parent=None
if getSecurityManager().validate(None, parent, None, object):
return
raise Unauthorized, absattr(object.id) raise Unauthorized, absattr(object.id)
else:
raise Unauthorized, method_name
else: # /if method_name
raise CopyError, MessageDialog( raise CopyError, MessageDialog(
title='Not Supported', title = 'Not Supported',
message='The object <EM>%s</EM> does not support this ' \ message = ('The object <EM>%s</EM> does not support this '
'operation.' % absattr(object.id), 'operation.' % absattr(object.id)),
action='manage_main') action = 'manage_main')
Globals.default__class_init__(CopyContainer) Globals.default__class_init__(CopyContainer)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment