Add security declarations for the class and make the __call__ permission...

Add security declarations for the class and make the __call__ permission consistent with the view and list permissions. git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@12063 20353a03-c40f-0410-a6d1-a30d3c3de9de

Add security declarations for the class and make the call permission...
Add security declarations for the class and make the __call__ permission consistent with the view and list permissions. git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@12063 20353a03-c40f-0410-a6d1-a30d3c3de9de
7627bbe0 · Jean-Paul Smets · 38053180 · 7627bbe0
Commit 7627bbe0 authored Jan 13, 2007 by Jean-Paul Smets
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 10 deletions

product/ERP5Type/Base.py product/ERP5Type/Base.py +18 -10

No files found.
--- a/product/ERP5Type/Base.py
+++ b/product/ERP5Type/Base.py
@@ -386,8 +386,11 @@ class Base( CopyContainer,
  aq_preference_generated = 0
  # FIXME: Preference should not be included in ERP5Type

-  # Declarative security
+  # Declarative security - in ERP5 we use AccessContentsInformation to
+  # define the right of accessing content properties as opposed
+  # to view which is the right to view the object with a form
  security = ClassSecurityInfo()
+  security.declareObjectProtected(Permissions.AccessContentsInformation)

  # Declarative properties
  property_sheets = ( PropertySheet.Base, )
@@ -1847,17 +1850,22 @@ class Base( CopyContainer,
    except TypeError:
      return None

-  # Default views
+  # Default views - the default security in CMFCore
+  # is View - however, security was not defined on
+  # __call__ -  to be consistent, between view and
+  # __call__ we have to define permission here to View
+  security.declareProtected(Permissions.View, '__call__')
+
  security.declareProtected(Permissions.View, 'list')
  def list(self,reset=0):
-        '''
-        Returns the default list even if folder_contents is overridden.
-        '''
-        list_action = _getViewFor(self, view='list')
-        if getattr(aq_base(list_action), 'isDocTemp', 0):
-            return apply(list_action, (self, self.REQUEST),reset=reset)
-        else:
-            return list_action(reset=reset)
+    """
+    Returns the default list even if folder_contents is overridden.
+    """
+    list_action = _getViewFor(self, view='list')
+    if getattr(aq_base(list_action), 'isDocTemp', 0):
+        return apply(list_action, (self, self.REQUEST),reset=reset)
+    else:
+        return list_action(reset=reset)

  # Proxy methods for security reasons
  security.declareProtected(Permissions.AccessContentsInformation, 'getOwnerInfo')