Collector #2072: Applied patch to fix problem with overly restrictive...

Collector #2072: Applied patch to fix problem with overly restrictive __bobo_traverse__ security and tests.

Collector #2072: Applied patch to fix problem with overly restrictive...
Collector #2072: Applied patch to fix problem with overly restrictive __bobo_traverse__ security and tests.
a8bc52fa · Alec Mitchell · 0f5c2c69 · a8bc52fa · a8bc52fa · a8bc52fa
Commit a8bc52fa authored Apr 21, 2006 by Alec Mitchell
Showing with 80 additions and 2 deletions

doc/CHANGES.txt doc/CHANGES.txt +3 -0

lib/python/OFS/Traversable.py lib/python/OFS/Traversable.py +14 -2

lib/python/OFS/tests/testTraverse.py lib/python/OFS/tests/testTraverse.py +63 -0

No files found.
--- a/doc/CHANGES.txt
+++ b/doc/CHANGES.txt
@@ -17,6 +17,9 @@ Zope Changes
  Zope 2.9.3 (UNRELEASED)
   Bugs fixed
+      - Collector #2072: Applied patch to fix problem with overly restrictive
+        __bobo_traverse__ security and tests.
      - Added missing Zope 3 packages: zope.app.intid, zope.app.keyreference, 
        zope.app.session, zope.contentprovider, zope.viewlet  

--- a/lib/python/OFS/Traversable.py
+++ b/lib/python/OFS/Traversable.py
@@ -201,8 +201,20 @@ class Traversable:
                        else:
                            # Can't determine container
                            container = _none
-                        if not securityManager.validate(
+                        try:
-                            obj, container, name, next):
+                            validated = securityManager.validate(
+                                                   obj, container, name, next)
+                        except Unauthorized:
+                            # If next is a simple unwrapped property, it's
+                            # parentage is indeterminate, but it may have been
+                            # acquired safely.  In this case validate will
+                            # raise an error, and we can explicitly check that
+                            # our value was acquired safely.
+                            validated = 0
+                            if container is _none and \
+                                   guarded_getattr(obj, name, marker) is next:
+                                validated = 1
+                        if not validated:
                            raise Unauthorized, name
                else:
                    if restricted:

--- a/lib/python/OFS/tests/testTraverse.py
+++ b/lib/python/OFS/tests/testTraverse.py
@@ -22,6 +22,7 @@ import cStringIO
 import transaction
 import ZODB, Acquisition, transaction
 from AccessControl import SecurityManager, Unauthorized
+from AccessControl.Permissions import access_contents_information
 from AccessControl.SecurityManagement import newSecurityManager
 from AccessControl.SecurityManagement import noSecurityManager
 from Acquisition import aq_base
@@ -102,6 +103,16 @@ class BoboTraversable(SimpleItem):
    bb_status = 'screechy'
+class BoboTraversableWithAcquisition(SimpleItem):
+    """
+       A BoboTraversable class which may use acquisition to find objects.
+       This is similar to how the __bobo_traverse__ added by Five behaves).
+    """
+    def __bobo_traverse__(self, request, name):
+        return Acquisition.aq_get(self, name)
 def makeConnection():
    import ZODB
    from ZODB.DemoStorage import DemoStorage
@@ -235,6 +246,58 @@ class TestTraverse( unittest.TestCase ):
        self.failUnless(
            bb.restrictedTraverse('manufactured') is 42)
+    def testBoboTraverseToAcquiredObject(self):
+        # Verify it's possible to use a __bobo_traverse__ which retrieves
+        # objects by acquisition
+        noSecurityManager()
+        SecurityManager.setSecurityPolicy( self.oldPolicy )
+        bb = BoboTraversableWithAcquisition()
+        bb = bb.__of__(self.root)
+        self.assertEqual(
+            bb.restrictedTraverse('folder1'), bb.folder1)
+        self.assertEqual(
+            Acquisition.aq_inner(bb.restrictedTraverse('folder1')),
+            self.root.folder1)
+    def testBoboTraverseToAcquiredProtectedObject(self):
+        # Verify it's possible to use a __bobo_traverse__ which retrieves
+        # objects by acquisition
+        noSecurityManager()
+        SecurityManager.setSecurityPolicy( self.oldPolicy )
+        folder = self.root.folder1
+        # restrict the ability to access the retrieved object itself
+        folder.manage_permission(access_contents_information, [], 0)
+        bb = BoboTraversableWithAcquisition()
+        bb = bb.__of__(self.root)
+        self.failUnlessRaises(Unauthorized,
+                              self.root.folder1.restrictedTraverse, 'folder1')
+    def testBoboTraverseToAcquiredAttribute(self):
+        # Verify it's possible to use __bobo_traverse__ to an acquired
+        # attribute
+        noSecurityManager()
+        SecurityManager.setSecurityPolicy( self.oldPolicy )
+        folder = self.root.folder1
+        folder.stuff = 'stuff here'
+        bb = BoboTraversableWithAcquisition()
+        bb = bb.__of__(folder)
+        self.assertEqual(
+            bb.restrictedTraverse('stuff'), 'stuff here')
+    def testBoboTraverseToAcquiredProtectedAttribute(self):
+        # Verify that using __bobo_traverse__ to get an acquired but
+        # protected attribute results in Unauthorized
+        noSecurityManager()
+        SecurityManager.setSecurityPolicy( self.oldPolicy )
+        folder = self.root.folder1
+        # We protect the the attribute by restricting access to the parent
+        folder.manage_permission(access_contents_information, [], 0)
+        folder.stuff = 'stuff here'
+        bb = BoboTraversableWithAcquisition()
+        bb = bb.__of__(folder)
+        self.failUnlessRaises(Unauthorized,
+                              self.root.folder1.restrictedTraverse, 'stuff')
    def testAcquiredAttributeDenial(self):
        # Verify that restrictedTraverse raises the right kind of exception
        # on denial of access to an acquired attribute.  If it raises