Commit a88b64fe authored by 's avatar

- reverted workaround in '_verifyObjectPaste'; 'checkPermission' now respects proxy roles

parent c1c380a8
...@@ -472,7 +472,7 @@ class CopyContainer(ExtensionClass.Base): ...@@ -472,7 +472,7 @@ class CopyContainer(ExtensionClass.Base):
if not hasattr(object, 'meta_type'): if not hasattr(object, 'meta_type'):
raise CopyError, MessageDialog( raise CopyError, MessageDialog(
title = 'Not Supported', title = 'Not Supported',
message = ('The object <EM>%s</EM> does not support this' \ message = ('The object <em>%s</em> does not support this' \
' operation' % escape(absattr(object.id))), ' operation' % escape(absattr(object.id))),
action = 'manage_main') action = 'manage_main')
...@@ -492,60 +492,38 @@ class CopyContainer(ExtensionClass.Base): ...@@ -492,60 +492,38 @@ class CopyContainer(ExtensionClass.Base):
mt_permission = d.get('permission') mt_permission = d.get('permission')
break break
if method_name: if mt_permission is not None:
try: sm = getSecurityManager()
method = self.restrictedTraverse(method_name)
# method_name is e.g. if sm.checkPermission(mt_permission, self):
# "manage_addProduct/PageTemplates/manage_addPageTemplateForm". if validate_src:
# restrictedTraverse will raise Unauthorized if it # Ensure the user is allowed to access the object on the
# can't obtain the factory method by name due to a # clipboard.
# security restriction. We depend on this side effect try:
# here! Note that we use restrictedTraverse as parent = aq_parent(aq_inner(object))
# opposed to checkPermission to take into account the except:
# special security circumstances related to proxy parent = None
# roles. See collector #78.
if not sm.validate(None, parent, None, object):
except Unauthorized: raise Unauthorized(absattr(object.id))
if mt_permission:
if validate_src == 2: # moving
if not sm.checkPermission(DeleteObjects, parent):
raise Unauthorized('Delete not allowed.')
else:
raise CopyError, MessageDialog(
title = 'Insufficient Privileges',
message = ('You do not possess the %s permission in the ' message = ('You do not possess the %s permission in the '
'context of the container into which you are ' 'context of the container into which you are '
'pasting, thus you are not able to perform ' 'pasting, thus you are not able to perform '
'this operation.' % mt_permission) 'this operation.' % mt_permission),
else: action = 'manage_main')
message = ('You do not possess the permission required ' else:
'to call %s in the context of the container '
'into which you are pasting, thus you are not '
'able to perform this operation.' % method_name)
raise CopyError, MessageDialog(
title = 'Insufficient Privileges',
message = message,
action = 'manage_main')
if validate_src:
sm = getSecurityManager()
# Ensure the user is allowed to access the object on the
# clipboard.
try:
parent = aq_parent(aq_inner(object))
except:
parent = None
if not sm.validate(None,parent,None,object):
raise Unauthorized, absattr(object.id)
if validate_src == 2: # moving
if not sm.checkPermission(DeleteObjects, parent):
raise Unauthorized, 'Delete not allowed.'
else: # /if method_name
raise CopyError, MessageDialog( raise CopyError, MessageDialog(
title = 'Not Supported', title = 'Not Supported',
message = ('The object <EM>%s</EM> does not support this ' message = ('The object <em>%s</em> does not support this '
'operation.' % escape(absattr(object.id))), 'operation.' % escape(absattr(object.id))),
action = 'manage_main') action = 'manage_main')
Globals.default__class_init__(CopyContainer) Globals.default__class_init__(CopyContainer)
......
...@@ -489,10 +489,10 @@ class TestCopySupportSecurity( CopySupportTestBase ): ...@@ -489,10 +489,10 @@ class TestCopySupportSecurity( CopySupportTestBase ):
folder1, folder2 = self._initFolders() folder1, folder2 = self._initFolders()
folder2.all_meta_types = FILE_META_TYPES folder2.all_meta_types = FILE_META_TYPES
def _no_manage_addFile( a, c, n, v, *args, **kw ): def _no_add_images_and_files(permission, object, context):
return n != 'manage_addFile' return permission != ADD_IMAGES_AND_FILES
self._initPolicyAndUser( v_lambda=_no_manage_addFile ) self._initPolicyAndUser( c_lambda=_no_add_images_and_files )
cookie = folder1.manage_cutObjects( ids=( 'file', ) ) cookie = folder1.manage_cutObjects( ids=( 'file', ) )
self._assertCopyErrorUnauth( folder2.manage_pasteObjects self._assertCopyErrorUnauth( folder2.manage_pasteObjects
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment