Log message for revision 110185: Fix a bug where resources in sub-directories of resource-directories would not be traversable via restrictedTraverse() due to missing security wrappings.
Changed: U Zope/branches/2.12/doc/CHANGES.rst U Zope/branches/2.12/src/Products/Five/browser/resource.py U Zope/branches/2.12/src/Products/Five/browser/tests/resource.txt -=- Modified: Zope/branches/2.12/doc/CHANGES.rst =================================================================== --- Zope/branches/2.12/doc/CHANGES.rst 2010-03-25 16:37:17 UTC (rev 110184) +++ Zope/branches/2.12/doc/CHANGES.rst 2010-03-26 12:39:58 UTC (rev 110185) @@ -20,6 +20,10 @@ Bugs Fixed ++++++++++ +- Zope 3-style resource directories would throw an Unauthorized error when + trying to use restrictedTraverse() to reach a resource in a sub-directory + of the resource directory. + - Restore ability to traverse to 'macros' on template-based browser views. - Protect ZCTextIndex's clear method against storing Acquisition wrappers. Modified: Zope/branches/2.12/src/Products/Five/browser/resource.py =================================================================== --- Zope/branches/2.12/src/Products/Five/browser/resource.py 2010-03-25 16:37:17 UTC (rev 110184) +++ Zope/branches/2.12/src/Products/Five/browser/resource.py 2010-03-26 12:39:58 UTC (rev 110185) @@ -161,6 +161,11 @@ resource = factory(name, filename)(self.request) resource.__name__ = name resource.__parent__ = self + + # We need to propagate security so that restrictedTraverse() will + # work + resource.__roles__ = self.__roles__ + return resource class DirectoryResourceFactory(ResourceFactory): Modified: Zope/branches/2.12/src/Products/Five/browser/tests/resource.txt =================================================================== --- Zope/branches/2.12/src/Products/Five/browser/tests/resource.txt 2010-03-25 16:37:17 UTC (rev 110184) +++ Zope/branches/2.12/src/Products/Five/browser/tests/resource.txt 2010-03-26 12:39:58 UTC (rev 110185) @@ -69,7 +69,6 @@ ... if not isinstance(resource, PageTemplateResource): ... self.assertEquals(resource(), base_url % r) - Security -------- @@ -108,7 +107,15 @@ ... path = base % resource ... checkRestricted(self.folder, 'context.restrictedTraverse("%s")' % path) +Let's make sure restrictedTraverse() works directly, too. It used to get +tripped up on subdirectories due to missing security declarations. + >>> self.folder.restrictedTraverse('++resource++fivetest_resources/resource.txt') is not None + True + + >>> self.folder.restrictedTraverse('++resource++fivetest_resources/resource_subdir/resource.txt') is not None + True + Clean up -------- _______________________________________________ Zope-Checkins maillist - Zope-Checkins@zope.org https://mail.zope.org/mailman/listinfo/zope-checkins