[Zope-Checkins] SVN: Zope/branches/2.13/ Fix serious authentication vulnerability in stock configuration.

Tres Seaver tseaver at palladion.com
Mon Oct 24 22:39:13 UTC 2011 

Log message for revision 123152:
  Fix serious authentication vulnerability in stock configuration.
  

Changed:
  U   Zope/branches/2.13/doc/CHANGES.rst
  U   Zope/branches/2.13/src/OFS/tests/test_userfolder.py
  U   Zope/branches/2.13/src/OFS/userfolder.py

-=-
Modified: Zope/branches/2.13/doc/CHANGES.rst
===================================================================
--- Zope/branches/2.13/doc/CHANGES.rst	2011-10-24 22:29:40 UTC (rev 123151)
+++ Zope/branches/2.13/doc/CHANGES.rst	2011-10-24 22:39:13 UTC (rev 123152)
@@ -8,6 +8,7 @@
 2.13.11 (unreleased)
 --------------------
 
+- Fixed serious authentication vulnerability in stock configuration.
 
 2.13.10 (2011-10-04)
 --------------------

Modified: Zope/branches/2.13/src/OFS/tests/test_userfolder.py
===================================================================
--- Zope/branches/2.13/src/OFS/tests/test_userfolder.py	2011-10-24 22:29:40 UTC (rev 123151)
+++ Zope/branches/2.13/src/OFS/tests/test_userfolder.py	2011-10-24 22:39:13 UTC (rev 123152)
@@ -17,7 +17,15 @@
 # TODO class Test_readUserAccessFile(unittest.TestCase)
 
 
-# TODO class BasicUserFoldertests(unittest.TestCase)
+class BasicUserFolderTests(unittest.TestCase):
+ 
+    def _getTargetClass(self):
+        from OFS.userfolder import BasicUserFolder
+        return BasicUserFolder
+ 
+    def test_manage_users_security_initialized(self):
+        uf = self._getTargetClass()()
+        self.assertTrue(hasattr(uf, 'manage_users__roles__'))
 
 
 class UserFolderTests(unittest.TestCase):
@@ -171,6 +179,8 @@
 
 
 def test_suite():
-    suite = unittest.TestSuite()
-    suite.addTest(unittest.makeSuite(UserFolderTests))
+    suite = unittest.TestSuite((
+        unittest.makeSuite(BasicUserFolderTests),
+        unittest.makeSuite(UserFolderTests),
+    ))
     return suite

Modified: Zope/branches/2.13/src/OFS/userfolder.py
===================================================================
--- Zope/branches/2.13/src/OFS/userfolder.py	2011-10-24 22:29:40 UTC (rev 123151)
+++ Zope/branches/2.13/src/OFS/userfolder.py	2011-10-24 22:39:13 UTC (rev 123152)
@@ -293,7 +293,9 @@
                 message='Cannot change the id of a UserFolder',
                 action='./manage_main'))
 
+InitializeClass(BasicUserFolder)
 
+
 class UserFolder(accesscontrol_userfolder.UserFolder, BasicUserFolder):
     """Standard UserFolder object

More information about the Zope-Checkins mailing list