[Zope-Checkins] SVN: Zope/branches/2.13/ - fixed permission check in ObjectManager

Yvo Schubbe y.2010 at wcm-solutions.de
Tue Dec 28 08:57:19 EST 2010


Log message for revision 119198:
  - fixed permission check in ObjectManager

Changed:
  U   Zope/branches/2.13/doc/CHANGES.rst
  UU  Zope/branches/2.13/src/OFS/ObjectManager.py
  UU  Zope/branches/2.13/src/OFS/tests/testObjectManager.py

-=-
Modified: Zope/branches/2.13/doc/CHANGES.rst
===================================================================
--- Zope/branches/2.13/doc/CHANGES.rst	2010-12-28 13:51:27 UTC (rev 119197)
+++ Zope/branches/2.13/doc/CHANGES.rst	2010-12-28 13:57:19 UTC (rev 119198)
@@ -11,6 +11,8 @@
 Bugs Fixed
 ++++++++++
 
+- OFS: Fixed permission check in ObjectManager.
+
 - webdav: Fixed permission check and error handling in DeleteCollection.
 
 - LP 686664: WebDAV Lock Manager ZMI view wasn't accessible.

Modified: Zope/branches/2.13/src/OFS/ObjectManager.py
===================================================================
--- Zope/branches/2.13/src/OFS/ObjectManager.py	2010-12-28 13:51:27 UTC (rev 119197)
+++ Zope/branches/2.13/src/OFS/ObjectManager.py	2010-12-28 13:57:19 UTC (rev 119198)
@@ -266,15 +266,15 @@
     def filtered_meta_types(self, user=None):
         # Return a list of the types for which the user has
         # adequate permission to add that type of object.
-        user=getSecurityManager().getUser()
-        meta_types=[]
+        sm = getSecurityManager()
+        meta_types = []
         if callable(self.all_meta_types):
-            all=self.all_meta_types()
+            all = self.all_meta_types()
         else:
-            all=self.all_meta_types
+            all = self.all_meta_types
         for meta_type in all:
             if meta_type.has_key('permission'):
-                if user.has_permission(meta_type['permission'],self):
+                if sm.checkPermission(meta_type['permission'], self):
                     meta_types.append(meta_type)
             else:
                 meta_types.append(meta_type)


Property changes on: Zope/branches/2.13/src/OFS/ObjectManager.py
___________________________________________________________________
Deleted: svn:keywords
   - Id

Modified: Zope/branches/2.13/src/OFS/tests/testObjectManager.py
===================================================================
--- Zope/branches/2.13/src/OFS/tests/testObjectManager.py	2010-12-28 13:51:27 UTC (rev 119197)
+++ Zope/branches/2.13/src/OFS/tests/testObjectManager.py	2010-12-28 13:57:19 UTC (rev 119198)
@@ -1,23 +1,24 @@
 import unittest
 
-from zope.component.testing import PlacelessSetup
-from zope.interface import implements
-
 from AccessControl.owner import EmergencyUserCannotOwn
 from AccessControl.SecurityManagement import newSecurityManager
 from AccessControl.SecurityManagement import noSecurityManager
+from AccessControl.SecurityManager import setSecurityPolicy
+from AccessControl.SpecialUsers import emergency_user, nobody, system
 from AccessControl.User import User # before SpecialUsers
-from AccessControl.SpecialUsers import emergency_user, nobody, system
 from Acquisition import aq_base
 from Acquisition import Implicit
 from App.config import getConfiguration
 from logging import getLogger
+from zExceptions import BadRequest
+from zope.component.testing import PlacelessSetup
+from zope.interface import implements
+from Zope2.App import zcml
+
 from OFS.interfaces import IItem
 from OFS.metaconfigure import setDeprecatedManageAddDelete
 from OFS.ObjectManager import ObjectManager
 from OFS.SimpleItem import SimpleItem
-from Zope2.App import zcml
-from zExceptions import BadRequest
 
 logger = getLogger('OFS.subscribers')
 
@@ -103,6 +104,26 @@
         verifyClass(IContainer, ObjectManager)
         verifyClass(IObjectManager, ObjectManager)
 
+    def test_filtered_meta_types(self):
+
+        class _DummySecurityPolicy(object):
+
+            def checkPermission(self, permission, object, context):
+                return permission == 'addFoo'
+
+        om = self._makeOne()
+        om.all_meta_types = ({'name': 'Foo', 'permission': 'addFoo'},
+                             {'name': 'Bar', 'permission': 'addBar'},
+                             {'name': 'Baz'})
+        try:
+            oldPolicy = setSecurityPolicy(_DummySecurityPolicy())
+            self.assertEqual(len(om.filtered_meta_types()), 2)
+            self.assertEqual(om.filtered_meta_types()[0]['name'], 'Foo')
+            self.assertEqual(om.filtered_meta_types()[1]['name'], 'Baz')
+        finally:
+            noSecurityManager()
+            setSecurityPolicy(oldPolicy)
+
     def test_setObject_set_owner_with_no_user( self ):
         om = self._makeOne()
         newSecurityManager( None, None )


Property changes on: Zope/branches/2.13/src/OFS/tests/testObjectManager.py
___________________________________________________________________
Deleted: svn:keywords
   - Id



More information about the Zope-Checkins mailing list