Brought ZopeSecurityPolicy in line with cAccessControl. aq_base and aq_acquire

are not normally attributes of any object but acquisition wrappers, except in one important case: if container is a module and that module happens to import aq_base or aq_acquire from Acquisition, ZopeSecurityPolicy.validate() does unintended things. This made ModuleSecurityInfo declarations fail when using the Python policy. Now we no longer look at aq_base attributes, but rather the acquisition API, which is what cAccessControl does.

Brought ZopeSecurityPolicy in line with cAccessControl. aq_base and aq_acquire
are not normally attributes of any object but acquisition wrappers, except in one important case: if container is a module and that module happens to import aq_base or aq_acquire from Acquisition, ZopeSecurityPolicy.validate() does unintended things. This made ModuleSecurityInfo declarations fail when using the Python policy. Now we no longer look at aq_base attributes, but rather the acquisition API, which is what cAccessControl does.
5470157e · Shane Hathaway · bdea79a8 · 5470157e
Commit 5470157e authored Aug 21, 2002 by Shane Hathaway
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 6 deletions

lib/python/AccessControl/ZopeSecurityPolicy.py lib/python/AccessControl/ZopeSecurityPolicy.py +10 -6

No files found.
--- a/lib/python/AccessControl/ZopeSecurityPolicy.py
+++ b/lib/python/AccessControl/ZopeSecurityPolicy.py
@@ -13,8 +13,8 @@
 __doc__='''Define Zope\'s default security policy
-$Id: ZopeSecurityPolicy.py,v 1.19 2002/08/14 21:29:07 mj Exp $'''
+$Id: ZopeSecurityPolicy.py,v 1.20 2002/08/21 19:31:59 shane Exp $'''
-__version__='$Revision: 1.19 $'[11:-2]
+__version__='$Revision: 1.20 $'[11:-2]
 _use_python_impl = 0
@@ -89,7 +89,11 @@ if _use_python_impl:
                    return 0
            containerbase = aq_base(container)
-            accessedbase=getattr(accessed, 'aq_base', container)
+            accessedbase = aq_base(accessed)
+            if accessedbase is accessed:
+                # accessed is not a wrapper, so assume that the
+                # value could not have been acquired.
+                accessedbase = container
            ############################################################
            # If roles weren't passed in, we'll try to get them from the object
@@ -111,13 +115,13 @@ if _use_python_impl:
                roles=getattr(container, '__roles__', _noroles)
                if roles is _noroles:
-                    aq=getattr(container, 'aq_acquire', None)
+                    if containerbase is container:
-                    if aq is None:
+                        # Container is not wrapped.
                        roles=_noroles
                        if containerbase is not accessedbase: return 0
                    else:
                        # Try to acquire roles
-                        try: roles=aq('__roles__')
+                        try: roles = container.aq_acquire('__roles__')
                        except AttributeError:
                            roles=_noroles
                            if containerbase is not accessedbase: return 0