- Merge change for CMF Collector #259

8bf68762 · Tres Seaver · ad3f8ae5 · 8bf68762 · 8bf68762 · 8bf68762
Commit 8bf68762 authored Aug 07, 2004 by Tres Seaver
Showing with 296 additions and 32 deletions

doc/CHANGES.txt doc/CHANGES.txt +3 -0

lib/python/OFS/CopySupport.py lib/python/OFS/CopySupport.py +15 -4

lib/python/OFS/tests/testCopySupport.py lib/python/OFS/tests/testCopySupport.py +278 -28

No files found.
--- a/doc/CHANGES.txt
+++ b/doc/CHANGES.txt
@@ -144,6 +144,9 @@ Zope Changes

    Bugs fixed

+     - OFS.CopySupport: Enforced "Delete objects" permission during
+       move (CMF Collector #259).
+
     - Removed DWIM'y attempt to filter acquired-but-not-aceessible
       results from 'guarded_getattr'.


--- a/lib/python/OFS/CopySupport.py
+++ b/lib/python/OFS/CopySupport.py
@@ -21,6 +21,7 @@ from zlib import compress, decompress

 from App.Dialogs import MessageDialog
 from AccessControl import getSecurityManager
+from AccessControl.Permissions import delete_objects as DeleteObjects
 from Acquisition import aq_base, aq_inner, aq_parent
 from zExceptions import Unauthorized, BadRequest
 from webdav.Lockable import ResourceLockedError
@@ -152,7 +153,7 @@ class CopyContainer(ExtensionClass.Base):
            m = Moniker.loadMoniker(mdata)
            try: ob = m.bind(app)
            except: raise CopyError, eNotFound
-            self._verifyObjectPaste(ob)
+            self._verifyObjectPaste(ob, validate_src=op+1)
            oblist.append(ob)

        if op==0:
@@ -379,13 +380,23 @@ class CopyContainer(ExtensionClass.Base):
                  action = 'manage_main')

            if validate_src:
+
+                sm = getSecurityManager()
+
                # Ensure the user is allowed to access the object on the
                # clipboard.
-                try:    parent = aq_parent(aq_inner(object))
-                except: parent = None
-                if not getSecurityManager().validate(None,parent,None,object):
+                try:
+                    parent = aq_parent(aq_inner(object))
+                except:
+                    parent = None
+
+                if not sm.validate(None,parent,None,object):
                    raise Unauthorized, absattr(object.id)

+                if validate_src == 2: # moving
+                    if not sm.checkPermission(DeleteObjects, parent):
+                        raise Unauthorized, 'Delete not allowed.'
+
        else: # /if method_name
            raise CopyError, MessageDialog(
                  title   = 'Not Supported',

--- a/lib/python/OFS/tests/testCopySupport.py
+++ b/lib/python/OFS/tests/testCopySupport.py