Commit 01b2fde2 authored by Jérome Perrin's avatar Jérome Perrin

Fix behaviour of category accessors when a document is related to

another document you cannot access.
The behaviour was different wether you call use default accessor or list accessor:
 - get(Category)Value raises Unauthorized
 - get(Category)ValueList filters documents you cannot access (because
   exceptions are ignored).

As you can pass checked_permission= to explicitly filter documents you cannot
access, get(Category)ValueList should raise Unauthorized, this also makes
behaviour consistent with get(Category)Value.


git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@20200 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent c2191538
...@@ -2007,13 +2007,7 @@ class Base( CopyContainer, ...@@ -2007,13 +2007,7 @@ class Base( CopyContainer,
ref_list = [] ref_list = []
for path in self._getAcquiredCategoryMembershipList(id, base=1, for path in self._getAcquiredCategoryMembershipList(id, base=1,
spec=spec, filter=filter, **kw): spec=spec, filter=filter, **kw):
try: ref_list.append(self._getCategoryTool().resolveCategory(path))
value = self._getCategoryTool().resolveCategory(path)
if value is not None: ref_list.append(value)
except ConflictError:
raise
except:
LOG("ERP5Type WARNING",0,"category %s has no object value" % path, error=sys.exc_info())
return ref_list return ref_list
security.declareProtected(Permissions.AccessContentsInformation, security.declareProtected(Permissions.AccessContentsInformation,
......
...@@ -40,6 +40,7 @@ from Products.ERP5Type.tests.utils import installRealClassTool ...@@ -40,6 +40,7 @@ from Products.ERP5Type.tests.utils import installRealClassTool
from Products.ERP5Type.Utils import removeLocalPropertySheet from Products.ERP5Type.Utils import removeLocalPropertySheet
from AccessControl.SecurityManagement import newSecurityManager from AccessControl.SecurityManagement import newSecurityManager
from AccessControl import getSecurityManager from AccessControl import getSecurityManager
from AccessControl import Unauthorized
from Products.ERP5Type.tests.utils import createZODBPythonScript from Products.ERP5Type.tests.utils import createZODBPythonScript
from Products.ERP5Type.tests.utils import removeZODBPythonScript from Products.ERP5Type.tests.utils import removeZODBPythonScript
...@@ -1763,6 +1764,65 @@ class TestPropertySheet: ...@@ -1763,6 +1764,65 @@ class TestPropertySheet:
checked_permission=checked_permission) checked_permission=checked_permission)
self.assertSameSet([beta_path, gamma_path], foo.getRegionList()) self.assertSameSet([beta_path, gamma_path], foo.getRegionList())
def test_category_accessor_to_unaccessible_documents(self):
# Category Accessors raises Unauthorized when you try to access objects
# you cannot Access, unless you explictly pass checked_permission=
region_category = self.getPortal().portal_categories.region
beta_id = "beta"
beta_title = "Beta System"
beta = region_category.newContent(
portal_type = "Category",
id = beta_id,
title = beta_title, )
beta_path = beta.getCategoryRelativeUrl()
beta.manage_permission('View', roles=[], acquire=0)
beta.manage_permission('Access contents information', roles=[], acquire=0)
# with this security setting, it's not possible to access "beta":
self.assertRaises(Unauthorized,
region_category.restrictedTraverse, "beta")
gamma_id = "gamma"
gamma_title = "Gamma System"
gamma = region_category.newContent(
portal_type = "Category",
id = gamma_id,
title = gamma_title, )
gamma_path = gamma.getCategoryRelativeUrl()
# Make sure categories are reindexed
get_transaction().commit()
self.tic()
# Create a new person, and associate it to beta and gamma.
module = self.getPersonModule()
foo = module.newContent(portal_type='Person', title='Foo')
foo.setRegionValueList((beta, gamma))
# getRegionList returns relative URLs, no security checks are applied
self.assertEquals([beta_path, gamma_path],
foo.getRegionList())
self.assertEquals([gamma_path],
foo.getRegionList(checked_permission='View'))
# getRegionValueList raises Unauthorized if document is related to
# private documents (as always, unless you pass checked_permission)
self.assertRaises(Unauthorized, foo.getRegionValueList)
self.assertRaises(Unauthorized, foo.getRegionValueSet)
self.assertEquals([gamma],
foo.getRegionValueList(checked_permission='View'))
# same for property accessors
self.assertRaises(Unauthorized, foo.getRegionTitleList)
self.assertRaises(Unauthorized, foo.getRegionTitleSet)
self.assertEquals(["Gamma System"],
foo.getRegionTitleList(checked_permission='View'))
# same for default accessors
self.assertRaises(Unauthorized, foo.getRegionValue)
self.assertRaises(Unauthorized, foo.getRegionTitle)
def test_list_accessors(self): def test_list_accessors(self):
self._addProperty('Person', '''{'id': 'dummy', self._addProperty('Person', '''{'id': 'dummy',
'type': 'lines', 'type': 'lines',
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment