From f6f5f0070a074bca4803880c61971d822069d324 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9rome=20Perrin?= <jerome@nexedi.com>
Date: Mon, 20 Sep 2010 09:35:15 +0000
Subject: [PATCH] fix accesors security. Class defined permissions are somtimes
 given as a permission role, sometimes directly as a list or as None. We have
 to make a difference for the cases where _aq_dynamic returns None and cases
 where security is set to None

git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@38475 20353a03-c40f-0410-a6d1-a30d3c3de9de
---
 product/ERP5Type/Accessor/Base.py | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/product/ERP5Type/Accessor/Base.py b/product/ERP5Type/Accessor/Base.py
index fa623f0d42..d86a28b4c8 100644
--- a/product/ERP5Type/Accessor/Base.py
+++ b/product/ERP5Type/Accessor/Base.py
@@ -117,10 +117,14 @@ class Setter(Method):
         roles = getattr(im_self.__class__, name, im_self)
         if roles is im_self:
           roles = im_self._aq_dynamic(name)
-        if roles is None:
-          return rolesForPermissionOn(None, im_self, ('Manager',),
-                                      '_Modify_portal_content_Permission')
-        return roles.__of__(im_self)
+          if roles is None:
+            return rolesForPermissionOn(None, im_self, ('Manager',),
+                                        '_Modify_portal_content_Permission')
+        # if roles has an __of__ method, call it explicitly, as the Method
+        # already has an __of__ method that has been already called at this
+        # point.
+        roles = getattr(roles, '__of__', lambda aq_parent: roles)(im_self)
+        return roles
 
 
 from Products.CMFCore.Expression import Expression
@@ -196,10 +200,11 @@ class Getter(Method):
         roles = getattr(im_self.__class__, name, im_self)
         if roles is im_self:
           roles = im_self._aq_dynamic(name)
-        if roles is None:
-          return rolesForPermissionOn(None, im_self, ('Manager',),
-                                      '_Access_contents_information_Permission')
-        return roles.__of__(im_self)
+          if roles is None:
+            return rolesForPermissionOn(None, im_self, ('Manager',),
+                                        '_Access_contents_information_Permission')
+        roles = getattr(roles, '__of__', lambda aq_parent: roles)(im_self)
+        return roles
 
 
 class Tester(Method):
-- 
2.30.9