Commit 88ea35a7 authored by 's avatar

- fixed permission check in ObjectManager

parent d7a80a6b
......@@ -266,15 +266,15 @@ class ObjectManager(CopyContainer,
def filtered_meta_types(self, user=None):
# Return a list of the types for which the user has
# adequate permission to add that type of object.
user=getSecurityManager().getUser()
meta_types=[]
sm = getSecurityManager()
meta_types = []
if callable(self.all_meta_types):
all=self.all_meta_types()
all = self.all_meta_types()
else:
all=self.all_meta_types
all = self.all_meta_types
for meta_type in all:
if meta_type.has_key('permission'):
if user.has_permission(meta_type['permission'],self):
if sm.checkPermission(meta_type['permission'], self):
meta_types.append(meta_type)
else:
meta_types.append(meta_type)
......
import unittest
from zope.component.testing import PlacelessSetup
from zope.interface import implements
from AccessControl.owner import EmergencyUserCannotOwn
from AccessControl.SecurityManagement import newSecurityManager
from AccessControl.SecurityManagement import noSecurityManager
from AccessControl.User import User # before SpecialUsers
from AccessControl.SecurityManager import setSecurityPolicy
from AccessControl.SpecialUsers import emergency_user, nobody, system
from AccessControl.User import User # before SpecialUsers
from Acquisition import aq_base
from Acquisition import Implicit
from App.config import getConfiguration
from logging import getLogger
from zExceptions import BadRequest
from zope.component.testing import PlacelessSetup
from zope.interface import implements
from Zope2.App import zcml
from OFS.interfaces import IItem
from OFS.metaconfigure import setDeprecatedManageAddDelete
from OFS.ObjectManager import ObjectManager
from OFS.SimpleItem import SimpleItem
from Zope2.App import zcml
from zExceptions import BadRequest
logger = getLogger('OFS.subscribers')
......@@ -103,6 +104,26 @@ class ObjectManagerTests(PlacelessSetup, unittest.TestCase):
verifyClass(IContainer, ObjectManager)
verifyClass(IObjectManager, ObjectManager)
def test_filtered_meta_types(self):
class _DummySecurityPolicy(object):
def checkPermission(self, permission, object, context):
return permission == 'addFoo'
om = self._makeOne()
om.all_meta_types = ({'name': 'Foo', 'permission': 'addFoo'},
{'name': 'Bar', 'permission': 'addBar'},
{'name': 'Baz'})
try:
oldPolicy = setSecurityPolicy(_DummySecurityPolicy())
self.assertEqual(len(om.filtered_meta_types()), 2)
self.assertEqual(om.filtered_meta_types()[0]['name'], 'Foo')
self.assertEqual(om.filtered_meta_types()[1]['name'], 'Baz')
finally:
noSecurityManager()
setSecurityPolicy(oldPolicy)
def test_setObject_set_owner_with_no_user( self ):
om = self._makeOne()
newSecurityManager( None, None )
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment