Log message for revision 40552: - reverted workaround in '_verifyObjectPaste'; 'checkPermission' now respects proxy roles
Changed: U Zope/trunk/lib/python/OFS/CopySupport.py U Zope/trunk/lib/python/OFS/tests/testCopySupport.py -=- Modified: Zope/trunk/lib/python/OFS/CopySupport.py =================================================================== --- Zope/trunk/lib/python/OFS/CopySupport.py 2005-12-05 18:26:31 UTC (rev 40551) +++ Zope/trunk/lib/python/OFS/CopySupport.py 2005-12-05 18:26:49 UTC (rev 40552) @@ -477,7 +477,7 @@ if not hasattr(object, 'meta_type'): raise CopyError, MessageDialog( title = 'Not Supported', - message = ('The object <EM>%s</EM> does not support this' \ + message = ('The object <em>%s</em> does not support this' \ ' operation' % escape(absattr(object.id))), action = 'manage_main') @@ -497,60 +497,38 @@ mt_permission = d.get('permission') break - if method_name: - try: - method = self.restrictedTraverse(method_name) - # method_name is e.g. - # "manage_addProduct/PageTemplates/manage_addPageTemplateForm". - # restrictedTraverse will raise Unauthorized if it - # can't obtain the factory method by name due to a - # security restriction. We depend on this side effect - # here! Note that we use restrictedTraverse as - # opposed to checkPermission to take into account the - # special security circumstances related to proxy - # roles. See collector #78. + if mt_permission is not None: + sm = getSecurityManager() - except Unauthorized: - if mt_permission: + if sm.checkPermission(mt_permission, self): + if validate_src: + # Ensure the user is allowed to access the object on the + # clipboard. + try: + parent = aq_parent(aq_inner(object)) + except: + parent = None + + if not sm.validate(None, parent, None, object): + raise Unauthorized(absattr(object.id)) + + if validate_src == 2: # moving + if not sm.checkPermission(delete_objects, parent): + raise Unauthorized('Delete not allowed.') + else: + raise CopyError, MessageDialog( + title = 'Insufficient Privileges', message = ('You do not possess the %s permission in the ' 'context of the container into which you are ' 'pasting, thus you are not able to perform ' - 'this operation.' % mt_permission) - else: - message = ('You do not possess the permission required ' - 'to call %s in the context of the container ' - 'into which you are pasting, thus you are not ' - 'able to perform this operation.' % method_name) - - raise CopyError, MessageDialog( - title = 'Insufficient Privileges', - message = message, - action = 'manage_main') - - if validate_src: - - sm = getSecurityManager() - - # Ensure the user is allowed to access the object on the - # clipboard. - try: - parent = aq_parent(aq_inner(object)) - except: - parent = None - - if not sm.validate(None,parent,None,object): - raise Unauthorized, absattr(object.id) - - if validate_src == 2: # moving - if not sm.checkPermission(delete_objects, parent): - raise Unauthorized, 'Delete not allowed.' - - else: # /if method_name + 'this operation.' % mt_permission), + action = 'manage_main') + else: raise CopyError, MessageDialog( - title = 'Not Supported', - message = ('The object <EM>%s</EM> does not support this ' - 'operation.' % escape(absattr(object.id))), - action = 'manage_main') + title = 'Not Supported', + message = ('The object <em>%s</em> does not support this ' + 'operation.' % escape(absattr(object.id))), + action = 'manage_main') InitializeClass(CopyContainer) Modified: Zope/trunk/lib/python/OFS/tests/testCopySupport.py =================================================================== --- Zope/trunk/lib/python/OFS/tests/testCopySupport.py 2005-12-05 18:26:31 UTC (rev 40551) +++ Zope/trunk/lib/python/OFS/tests/testCopySupport.py 2005-12-05 18:26:49 UTC (rev 40552) @@ -489,10 +489,10 @@ folder1, folder2 = self._initFolders() folder2.all_meta_types = FILE_META_TYPES - def _no_manage_addFile( a, c, n, v, *args, **kw ): - return n != 'manage_addFile' + def _no_add_images_and_files(permission, object, context): + return permission != ADD_IMAGES_AND_FILES - self._initPolicyAndUser( v_lambda=_no_manage_addFile ) + self._initPolicyAndUser( c_lambda=_no_add_images_and_files ) cookie = folder1.manage_cutObjects( ids=( 'file', ) ) self._assertCopyErrorUnauth( folder2.manage_pasteObjects _______________________________________________ Zope-Checkins maillist - Zope-Checkins@zope.org http://mail.zope.org/mailman/listinfo/zope-checkins