Skip to content

erp5
erp5
Commit ab4649fb authored by Kazuhiko Shiozaki's avatar Kazuhiko Shiozaki
Browse files
Options

contribution by Boris Kocherov : initialize FolderMixIn for methods protection.

parent 3ac8a940
Hide whitespace changes
Inline Side-by-side
Showing with 13 additions and 0 deletions
product/ERP5Type/Core/Folder.py
View file @ ab4649fb
......@@ -45,6 +45,7 @@ from Products.ERP5Type import PropertySheet
from Products.ERP5Type.XMLExportImport import Folder_asXML
from Products.ERP5Type.Utils import sortValueList
from Products.ERP5Type import Permissions
from Products.ERP5Type.Globals import InitializeClass
try:
from Products.CMFCore.CMFBTreeFolder import CMFBTreeFolder
......@@ -452,6 +453,7 @@ OFS_HANDLER = 0
BTREE_HANDLER = 1
HBTREE_HANDLER = 2
InitializeClass(FolderMixIn)
class Folder(CopyContainer, CMFBTreeFolder, CMFHBTreeFolder, Base, FolderMixIn):
"""
......
product/ERP5Type/tests/testFolder.py
View file @ ab4649fb
......@@ -252,6 +252,17 @@ class TestFolder(ERP5TypeTestCase, LogInterceptor):
self.assertNotEquals(self.folder[obj.getId()].__class__, from_class)
self.assertEquals([1], result)
def test_FolderMixinSecurity(self):
""" Test if FolderMix methods cannot be called by URL """
type_list = ['Folder']
self._setAllowedContentTypesForFolderType(type_list)
obj = self.folder.newContent(portal_type='Folder')
transaction.commit()
response = self.publish('%s/deleteContent?id=%s' % (
self.folder.absolute_url(relative=True), obj.getId()))
self.assertTrue(obj.getId() in self.folder.objectIds())
self.assertEquals(302, response.getStatus())
def test_suite():
suite = unittest.TestSuite()
suite.addTest(unittest.makeSuite(TestFolder))
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7