Commit 68e1915c authored by Nicolas Dumazet's avatar Nicolas Dumazet

split resetAcquisitionAndSecurity into resetAcquisition and setSecurity and

fix security issues for restricted methods.
This clears, in particularly, tests checking for roles in Interactions


git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@42924 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent ea050141
...@@ -119,12 +119,15 @@ class PortalTypeMetaClass(GhostBaseMetaClass, PropertyHolder): ...@@ -119,12 +119,15 @@ class PortalTypeMetaClass(GhostBaseMetaClass, PropertyHolder):
if issubclass(type(parent), PortalTypeMetaClass): if issubclass(type(parent), PortalTypeMetaClass):
PortalTypeMetaClass.subclass_register.setdefault(parent, []).append(cls) PortalTypeMetaClass.subclass_register.setdefault(parent, []).append(cls)
cls.security = ClassSecurityInfo()
cls.workflow_method_registry = {} cls.workflow_method_registry = {}
cls.__isghost__ = True cls.__isghost__ = True
super(GhostBaseMetaClass, cls).__init__(name, bases, dictionary) super(GhostBaseMetaClass, cls).__init__(name, bases, dictionary)
# InitializeClass is evil and removes the security info. Set it up AFTER
# superclass initialization
cls.security = ClassSecurityInfo()
@classmethod @classmethod
def getSubclassList(metacls, cls): def getSubclassList(metacls, cls):
""" """
...@@ -147,18 +150,21 @@ class PortalTypeMetaClass(GhostBaseMetaClass, PropertyHolder): ...@@ -147,18 +150,21 @@ class PortalTypeMetaClass(GhostBaseMetaClass, PropertyHolder):
return property_list return property_list
def resetAcquisitionAndSecurity(cls): def resetAcquisition(cls):
# First, fill the __get__ slot of the class # First, fill the __get__ slot of the class
# that has been null'ed after resetting its __bases__ # that has been null'ed after resetting its __bases__
# This descriptor is the magic allowing __of__ and our # This descriptor is the magic allowing __of__ and our
# _aq_dynamic trick # _aq_dynamic trick
pmc_init_of(cls) pmc_init_of(cls)
# Then, call __class_init__ on the class for security
InitializeClass(cls)
# And we need to do the same thing on subclasses # And we need to do the same thing on subclasses
for subclass in PortalTypeMetaClass.getSubclassList(cls): for subclass in PortalTypeMetaClass.getSubclassList(cls):
pmc_init_of(subclass) pmc_init_of(subclass)
def setSecurity(cls):
# note that after this call the 'security' attribute will be gone.
InitializeClass(cls)
for subclass in PortalTypeMetaClass.getSubclassList(cls):
InitializeClass(subclass) InitializeClass(subclass)
def restoreGhostState(cls): def restoreGhostState(cls):
...@@ -174,7 +180,6 @@ class PortalTypeMetaClass(GhostBaseMetaClass, PropertyHolder): ...@@ -174,7 +180,6 @@ class PortalTypeMetaClass(GhostBaseMetaClass, PropertyHolder):
for attr in cls.__dict__.keys(): for attr in cls.__dict__.keys():
if attr not in ('__module__', if attr not in ('__module__',
'__doc__', '__doc__',
'security',
'workflow_method_registry', 'workflow_method_registry',
'__isghost__', '__isghost__',
'portal_type'): 'portal_type'):
...@@ -184,7 +189,8 @@ class PortalTypeMetaClass(GhostBaseMetaClass, PropertyHolder): ...@@ -184,7 +189,8 @@ class PortalTypeMetaClass(GhostBaseMetaClass, PropertyHolder):
cls.workflow_method_registry.clear() cls.workflow_method_registry.clear()
cls.__bases__ = (ghostbase,) cls.__bases__ = (ghostbase,)
cls.__isghost__ = True cls.__isghost__ = True
cls.resetAcquisitionAndSecurity() cls.resetAcquisition()
cls.security = ClassSecurityInfo()
def __getattr__(cls, name): def __getattr__(cls, name):
""" """
...@@ -308,7 +314,7 @@ class PortalTypeMetaClass(GhostBaseMetaClass, PropertyHolder): ...@@ -308,7 +314,7 @@ class PortalTypeMetaClass(GhostBaseMetaClass, PropertyHolder):
klass.__isghost__ = False klass.__isghost__ = False
klass.__bases__ = base_tuple klass.__bases__ = base_tuple
klass.resetAcquisitionAndSecurity() klass.resetAcquisition()
for key, value in attribute_dict.iteritems(): for key, value in attribute_dict.iteritems():
setattr(klass, key, value) setattr(klass, key, value)
...@@ -318,12 +324,14 @@ class PortalTypeMetaClass(GhostBaseMetaClass, PropertyHolder): ...@@ -318,12 +324,14 @@ class PortalTypeMetaClass(GhostBaseMetaClass, PropertyHolder):
for interface in interface_list: for interface in interface_list:
classImplements(klass, interface) classImplements(klass, interface)
# skip this during the early Base Type / Types Tool generation
# because they dont have accessors, and will mess up
# workflow methods. We KNOW that we will re-load this type anyway
if len(base_tuple) > 1: if len(base_tuple) > 1:
# skip this during the early Base Type / Types Tool generation
# because they dont have accessors, and will mess up
# workflow methods. We KNOW that we will re-load this type
# anyway
klass.generatePortalTypeAccessors(site) klass.generatePortalTypeAccessors(site)
# need to set %s__roles__ for generated methods
cls.setSecurity()
except Exception: except Exception:
import traceback; traceback.print_exc() import traceback; traceback.print_exc()
finally: finally:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment