[Checkins] SVN: Zope/trunk/ Fix serious authentication vulnerability in stock configuration.

Tres Seaver tseaver at palladion.com
Mon Oct 24 22:41:46 UTC 2011


Log message for revision 123153:
  Fix serious authentication vulnerability in stock configuration.
  

Changed:
  U   Zope/trunk/doc/CHANGES.rst
  U   Zope/trunk/src/OFS/tests/test_userfolder.py
  U   Zope/trunk/src/OFS/userfolder.py

-=-
Modified: Zope/trunk/doc/CHANGES.rst
===================================================================
--- Zope/trunk/doc/CHANGES.rst	2011-10-24 22:39:13 UTC (rev 123152)
+++ Zope/trunk/doc/CHANGES.rst	2011-10-24 22:41:46 UTC (rev 123153)
@@ -11,6 +11,8 @@
 Bugs Fixed
 ++++++++++
 
+- Fixed serious authentication vulnerability in stock configuration.
+
 - Fixed a regression in webdav support that broke external editor feature.
 
 - Restore ability to undo multiple transactions from the ZMI by using the

Modified: Zope/trunk/src/OFS/tests/test_userfolder.py
===================================================================
--- Zope/trunk/src/OFS/tests/test_userfolder.py	2011-10-24 22:39:13 UTC (rev 123152)
+++ Zope/trunk/src/OFS/tests/test_userfolder.py	2011-10-24 22:41:46 UTC (rev 123153)
@@ -17,7 +17,15 @@
 # TODO class Test_readUserAccessFile(unittest.TestCase)
 
 
-# TODO class BasicUserFoldertests(unittest.TestCase)
+class BasicUserFolderTests(unittest.TestCase):
+ 
+    def _getTargetClass(self):
+        from OFS.userfolder import BasicUserFolder
+        return BasicUserFolder
+ 
+    def test_manage_users_security_initialized(self):
+        uf = self._getTargetClass()()
+        self.assertTrue(hasattr(uf, 'manage_users__roles__'))
 
 
 class UserFolderTests(unittest.TestCase):
@@ -171,6 +179,8 @@
 
 
 def test_suite():
-    suite = unittest.TestSuite()
-    suite.addTest(unittest.makeSuite(UserFolderTests))
+    suite = unittest.TestSuite((
+        unittest.makeSuite(BasicUserFolderTests),
+        unittest.makeSuite(UserFolderTests),
+    ))
     return suite

Modified: Zope/trunk/src/OFS/userfolder.py
===================================================================
--- Zope/trunk/src/OFS/userfolder.py	2011-10-24 22:39:13 UTC (rev 123152)
+++ Zope/trunk/src/OFS/userfolder.py	2011-10-24 22:41:46 UTC (rev 123153)
@@ -293,7 +293,9 @@
                 message='Cannot change the id of a UserFolder',
                 action='./manage_main'))
 
+InitializeClass(BasicUserFolder)
 
+
 class UserFolder(accesscontrol_userfolder.UserFolder, BasicUserFolder):
     """Standard UserFolder object
 



More information about the checkins mailing list