[Zope3-checkins] CVS: Zope3/src/zope/app - context.py:1.10

Steve Alexander steve@cat-box.net
Fri, 20 Jun 2003 02:59:09 -0400


Update of /cvs-repository/Zope3/src/zope/app
In directory cvs.zope.org:/tmp/cvs-serv30795/src/zope/app

Modified Files:
	context.py 
Log Message:
We can't just use the checker that came in on the object we're context-
wrapping. The wrapper might require other permissions.

I was bitten by this because I'm returning an object from publishTraverse
that needed to be context-decorated. On entry to ContextWrapper, the
object was security-proxied. On exit from ContextWrapper, the decorated
object was security-proxied using the checker it came in with.

The change I'm checking in is to detect this, and if necessary, use a
combined checker.


=== Zope3/src/zope/app/context.py 1.9 => 1.10 ===
--- Zope3/src/zope/app/context.py:1.9	Wed Jun 11 04:56:22 2003
+++ Zope3/src/zope/app/context.py	Fri Jun 20 02:59:08 2003
@@ -164,6 +164,14 @@
             _ob = Wrapper(_ob, _parent, **kw)
 
     if checker is not None:
+        # XXX Problem here is if the wrapper requires a different checker
+        # Let's make a combined checker using the checker we have.
+        # This is similar to what the DecoratedSecurityCheckerDescriptor
+        # does. (See above.)
+        # This behaviour needs a test.
+        wrapper_checker = selectChecker(_ob)
+        if wrapper_checker is not None:
+            checker = CombinedChecker(wrapper_checker, checker)
         _ob = Proxy(_ob, checker)
 
     return _ob