XXX restricted iterator

product/ERP5Type/tests/testRestrictedPythonSecurity.py

@@ -132,3 +132,33 @@ class TestRestrictedPythonSecurity(ERP5TypeTestCase):
         expected=(0, 1),
     )
 
+  def test_restricted_iterator(self):
+    from Products.ERP5Type.Globals import InitializeClass
+    from AccessControl import ClassSecurityInfo
+
+    class Private:
+      security = ClassSecurityInfo()
+      security.declareObjectPrivate()
+      def no(self):
+        return 'no'
+    InitializeClass(Private)
+
+    self.login()
+    self.portal.private = Private()
+
+    self.assertRaises(
+        Unauthorized,
+        self.createAndRunScript,
+        'return context.private.no()')
+
+    self.portal.private_iterator = (x for x in [Private().no])
+    self.assertRaises(
+        Unauthorized,
+        self.createAndRunScript,
+        'return [x for x in context.private_iterator]')
+
+    self.portal.private_iterator = (x for x in [Private().no])
+    self.createAndRunScript(
+        'return [x() for x in context.private_iterator]',
+        expected=['no']
+    )

[Jérome Perrin]

======================================================================
ERROR: test_restricted_iterator (testRestrictedPythonSecurity.TestRestrictedPythonSecurity)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/srv/slapgrid/slappart8/srv/runner/software/287375f0cba269902ba1bc50242839d7/parts/erp5/Products/ERP5Type/tests/testRestrictedPythonSecurity.py", line 163, in test_restricted_iterator
    expected=['no']
  File "/srv/slapgrid/slappart8/srv/runner/software/287375f0cba269902ba1bc50242839d7/parts/erp5/Products/ERP5Type/tests/testRestrictedPythonSecurity.py", line 58, in createAndRunScript
    self.assertEqual(self.runScript(script_container, name), expected)
  File "/srv/slapgrid/slappart8/srv/runner/software/287375f0cba269902ba1bc50242839d7/parts/erp5/Products/ERP5Type/tests/testRestrictedPythonSecurity.py", line 47, in runScript
    return func()
  File "/srv/slapgrid/slappart8/srv/runner/software/287375f0cba269902ba1bc50242839d7/parts/erp5/product/ERP5Type/patches/PythonScript.py", line 179, in __call__
    return self._orig_bindAndExec(args, kw, None)
  File "/srv/slapgrid/slappart8/srv/runner/software/287375f0cba269902ba1bc50242839d7/eggs/Zope2-2.13.27+slapospatched001-py2.7.egg/Shared/DC/Scripts/Bindings.py", line 359, in _bindAndExec
    return self._exec(bound_data, args, kw)
  File "/srv/slapgrid/slappart8/srv/runner/software/287375f0cba269902ba1bc50242839d7/parts/erp5/product/ERP5Type/tests/ERP5TypeTestCase.py", line 1496, in _exec
    return PythonScript_exec(self, *args)
  File "/srv/slapgrid/slappart8/srv/runner/software/287375f0cba269902ba1bc50242839d7/eggs/Products.PythonScripts-2.13.2-py2.7.egg/Products/PythonScripts/PythonScript.py", line 344, in _exec
    result = f(*args, **kw)
  File "Script (Python)", line 1, in 6fab5328-9647-11e9-b0f5-002590a70ad2
  File "/srv/slapgrid/slappart8/srv/runner/software/287375f0cba269902ba1bc50242839d7/eggs/AccessControl-2.13.16-py2.7-linux-x86_64.egg/AccessControl/ZopeGuards.py", line 197, in next
    guard(self.container, ob)
  File "/srv/slapgrid/slappart8/srv/runner/software/287375f0cba269902ba1bc50242839d7/eggs/AccessControl-2.13.16-py2.7-linux-x86_64.egg/AccessControl/ZopeGuards.py", line 227, in guard
    if getSecurityManager().validate(container, container, index, value):
Unauthorized: You are not allowed to access 'no' in this context