Commit a88b64fe authored by 's avatar

- reverted workaround in '_verifyObjectPaste'; 'checkPermission' now respects proxy roles

parent c1c380a8
......@@ -472,7 +472,7 @@ class CopyContainer(ExtensionClass.Base):
if not hasattr(object, 'meta_type'):
raise CopyError, MessageDialog(
title = 'Not Supported',
message = ('The object <EM>%s</EM> does not support this' \
message = ('The object <em>%s</em> does not support this' \
' operation' % escape(absattr(object.id))),
action = 'manage_main')
......@@ -492,40 +492,11 @@ class CopyContainer(ExtensionClass.Base):
mt_permission = d.get('permission')
break
if method_name:
try:
method = self.restrictedTraverse(method_name)
# method_name is e.g.
# "manage_addProduct/PageTemplates/manage_addPageTemplateForm".
# restrictedTraverse will raise Unauthorized if it
# can't obtain the factory method by name due to a
# security restriction. We depend on this side effect
# here! Note that we use restrictedTraverse as
# opposed to checkPermission to take into account the
# special security circumstances related to proxy
# roles. See collector #78.
except Unauthorized:
if mt_permission:
message = ('You do not possess the %s permission in the '
'context of the container into which you are '
'pasting, thus you are not able to perform '
'this operation.' % mt_permission)
else:
message = ('You do not possess the permission required '
'to call %s in the context of the container '
'into which you are pasting, thus you are not '
'able to perform this operation.' % method_name)
raise CopyError, MessageDialog(
title = 'Insufficient Privileges',
message = message,
action = 'manage_main')
if validate_src:
if mt_permission is not None:
sm = getSecurityManager()
if sm.checkPermission(mt_permission, self):
if validate_src:
# Ensure the user is allowed to access the object on the
# clipboard.
try:
......@@ -533,17 +504,24 @@ class CopyContainer(ExtensionClass.Base):
except:
parent = None
if not sm.validate(None,parent,None,object):
raise Unauthorized, absattr(object.id)
if not sm.validate(None, parent, None, object):
raise Unauthorized(absattr(object.id))
if validate_src == 2: # moving
if not sm.checkPermission(DeleteObjects, parent):
raise Unauthorized, 'Delete not allowed.'
else: # /if method_name
raise Unauthorized('Delete not allowed.')
else:
raise CopyError, MessageDialog(
title = 'Insufficient Privileges',
message = ('You do not possess the %s permission in the '
'context of the container into which you are '
'pasting, thus you are not able to perform '
'this operation.' % mt_permission),
action = 'manage_main')
else:
raise CopyError, MessageDialog(
title = 'Not Supported',
message = ('The object <EM>%s</EM> does not support this '
message = ('The object <em>%s</em> does not support this '
'operation.' % escape(absattr(object.id))),
action = 'manage_main')
......
......@@ -489,10 +489,10 @@ class TestCopySupportSecurity( CopySupportTestBase ):
folder1, folder2 = self._initFolders()
folder2.all_meta_types = FILE_META_TYPES
def _no_manage_addFile( a, c, n, v, *args, **kw ):
return n != 'manage_addFile'
def _no_add_images_and_files(permission, object, context):
return permission != ADD_IMAGES_AND_FILES
self._initPolicyAndUser( v_lambda=_no_manage_addFile )
self._initPolicyAndUser( c_lambda=_no_add_images_and_files )
cookie = folder1.manage_cutObjects( ids=( 'file', ) )
self._assertCopyErrorUnauth( folder2.manage_pasteObjects
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment