Commit aac2005b authored by 's avatar

- fixed permission check in ObjectManager

parent 3004ee2a
...@@ -11,6 +11,8 @@ http://docs.zope.org/zope2/releases/. ...@@ -11,6 +11,8 @@ http://docs.zope.org/zope2/releases/.
Bugs Fixed Bugs Fixed
++++++++++ ++++++++++
- OFS: Fixed permission check in ObjectManager.
- webdav: Fixed permission check and error handling in DeleteCollection. - webdav: Fixed permission check and error handling in DeleteCollection.
- LP 686664: WebDAV Lock Manager ZMI view wasn't accessible. - LP 686664: WebDAV Lock Manager ZMI view wasn't accessible.
......
...@@ -266,15 +266,15 @@ class ObjectManager(CopyContainer, ...@@ -266,15 +266,15 @@ class ObjectManager(CopyContainer,
def filtered_meta_types(self, user=None): def filtered_meta_types(self, user=None):
# Return a list of the types for which the user has # Return a list of the types for which the user has
# adequate permission to add that type of object. # adequate permission to add that type of object.
user=getSecurityManager().getUser() sm = getSecurityManager()
meta_types=[] meta_types = []
if callable(self.all_meta_types): if callable(self.all_meta_types):
all=self.all_meta_types() all = self.all_meta_types()
else: else:
all=self.all_meta_types all = self.all_meta_types
for meta_type in all: for meta_type in all:
if meta_type.has_key('permission'): if meta_type.has_key('permission'):
if user.has_permission(meta_type['permission'],self): if sm.checkPermission(meta_type['permission'], self):
meta_types.append(meta_type) meta_types.append(meta_type)
else: else:
meta_types.append(meta_type) meta_types.append(meta_type)
......
import unittest import unittest
from zope.component.testing import PlacelessSetup
from zope.interface import implements
from AccessControl.owner import EmergencyUserCannotOwn from AccessControl.owner import EmergencyUserCannotOwn
from AccessControl.SecurityManagement import newSecurityManager from AccessControl.SecurityManagement import newSecurityManager
from AccessControl.SecurityManagement import noSecurityManager from AccessControl.SecurityManagement import noSecurityManager
from AccessControl.User import User # before SpecialUsers from AccessControl.SecurityManager import setSecurityPolicy
from AccessControl.SpecialUsers import emergency_user, nobody, system from AccessControl.SpecialUsers import emergency_user, nobody, system
from AccessControl.User import User # before SpecialUsers
from Acquisition import aq_base from Acquisition import aq_base
from Acquisition import Implicit from Acquisition import Implicit
from App.config import getConfiguration from App.config import getConfiguration
from logging import getLogger from logging import getLogger
from zExceptions import BadRequest
from zope.component.testing import PlacelessSetup
from zope.interface import implements
from Zope2.App import zcml
from OFS.interfaces import IItem from OFS.interfaces import IItem
from OFS.metaconfigure import setDeprecatedManageAddDelete from OFS.metaconfigure import setDeprecatedManageAddDelete
from OFS.ObjectManager import ObjectManager from OFS.ObjectManager import ObjectManager
from OFS.SimpleItem import SimpleItem from OFS.SimpleItem import SimpleItem
from Zope2.App import zcml
from zExceptions import BadRequest
logger = getLogger('OFS.subscribers') logger = getLogger('OFS.subscribers')
...@@ -103,6 +104,26 @@ class ObjectManagerTests(PlacelessSetup, unittest.TestCase): ...@@ -103,6 +104,26 @@ class ObjectManagerTests(PlacelessSetup, unittest.TestCase):
verifyClass(IContainer, ObjectManager) verifyClass(IContainer, ObjectManager)
verifyClass(IObjectManager, ObjectManager) verifyClass(IObjectManager, ObjectManager)
def test_filtered_meta_types(self):
class _DummySecurityPolicy(object):
def checkPermission(self, permission, object, context):
return permission == 'addFoo'
om = self._makeOne()
om.all_meta_types = ({'name': 'Foo', 'permission': 'addFoo'},
{'name': 'Bar', 'permission': 'addBar'},
{'name': 'Baz'})
try:
oldPolicy = setSecurityPolicy(_DummySecurityPolicy())
self.assertEqual(len(om.filtered_meta_types()), 2)
self.assertEqual(om.filtered_meta_types()[0]['name'], 'Foo')
self.assertEqual(om.filtered_meta_types()[1]['name'], 'Baz')
finally:
noSecurityManager()
setSecurityPolicy(oldPolicy)
def test_setObject_set_owner_with_no_user( self ): def test_setObject_set_owner_with_no_user( self ):
om = self._makeOne() om = self._makeOne()
newSecurityManager( None, None ) newSecurityManager( None, None )
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment