Merge from 2_6 branch.

Jamie Heilman discovered it was possible for anonymous users to add ZClass permission objects. The newly created permission objects had no real effect on security, but anonymous users should not be able to do this anyway, so this patch fixes the bug. The problem was that PermissionManager never got initiatized. While I was here, I took the opportunity to initialize other classes as well, update the security declaration style, and apply the 'Define permissions' permission.

Merge from 2_6 branch.
Jamie Heilman discovered it was possible for anonymous users to add ZClass permission objects. The newly created permission objects had no real effect on security, but anonymous users should not be able to do this anyway, so this patch fixes the bug. The problem was that PermissionManager never got initiatized. While I was here, I took the opportunity to initialize other classes as well, update the security declaration style, and apply the 'Define permissions' permission.
ab64097b · Shane Hathaway · 865f2b86 · ab64097b · ab64097b · ab64097b
Commit ab64097b authored May 28, 2003 by Shane Hathaway
Showing with 27 additions and 7 deletions

lib/python/AccessControl/Permissions.py lib/python/AccessControl/Permissions.py +2 -1

lib/python/App/Permission.py lib/python/App/Permission.py +21 -6

lib/python/App/Product.py lib/python/App/Product.py +4 -0

No files found.
--- a/lib/python/AccessControl/Permissions.py
+++ b/lib/python/AccessControl/Permissions.py
@@ -12,7 +12,7 @@
 ##############################################################################
 """Constant definitions for built-in Zope permissions"""

-__version__='$Revision: 1.5 $'[11:-2]
+__version__='$Revision: 1.6 $'[11:-2]


 access_contents_information='Access contents information'
@@ -40,6 +40,7 @@ change_configuration='Change configuration'
 change_permissions='Change permissions'
 change_proxy_roles='Change proxy roles'
 create_class_instances='Create class instances'
+define_permissions='Define permissions'
 delete_objects='Delete objects'
 edit_factories='Edit Factories'
 ftp_access='FTP access'

--- a/lib/python/App/Permission.py
+++ b/lib/python/App/Permission.py
@@ -12,10 +12,15 @@
 ##############################################################################
 __doc__='''Zope registerable permissions

-$Id: Permission.py,v 1.8 2002/08/14 21:31:40 mj Exp $'''
-__version__='$Revision: 1.8 $'[11:-2]
+$Id: Permission.py,v 1.9 2003/05/28 14:51:12 shane Exp $'''
+__version__='$Revision: 1.9 $'[11:-2]

 import OFS.SimpleItem, Acquisition, Globals, ExtensionClass, AccessControl.Role
+from AccessControl import ClassSecurityInfo, Permissions
+
+view_management_screens = Permissions.view_management_screens
+define_permissions = Permissions.define_permissions
+

 class Permission(
    AccessControl.Role.RoleManager,
@@ -24,6 +29,7 @@ class Permission(
    "Model Permission meta-data"
    meta_type='Zope Permission'
    icon='p_/Permission_icon'
+    security = ClassSecurityInfo()

    manage_options=(
        (
@@ -39,6 +45,7 @@ class Permission(
        self.title=title
        self.name=name

+    security.declareProtected(define_permissions, 'manage_edit')
    def manage_edit(self, title, name, REQUEST=None):
        "Modify Permission properties."
        if title != self.title: self.title=title
@@ -48,9 +55,11 @@ class Permission(
            self._register()
        if REQUEST is not None: return self.manage_main(self, REQUEST)

+    security.declarePrivate('manage_afterAdd')
    def manage_afterAdd(self, item, container):
        self._register()

+    security.declarePrivate('manage_beforeDelete')
    def manage_beforeDelete(self, item, container):
        self._unregister()

@@ -66,22 +75,26 @@ class Permission(
        product.aq_acquire('_manage_remove_product_permission')(
            product, self.name)

+    security.declareProtected(view_management_screens, 'manage_main')
    manage_main=Globals.DTMLFile('dtml/editPermission',globals())

    index_html=None

+Globals.InitializeClass(Permission)
+
+
 class PermissionManager(ExtensionClass.Base):

-    __ac_permissions__=(
-        ('Define permissions',
-         ('manage_addPermissionForm', 'manage_addPermission')),
-        )
+    security = ClassSecurityInfo()

    meta_types={
        'name': Permission.meta_type, 'action': 'manage_addPermissionForm'
        },

+    security.declareProtected(define_permissions, 'manage_addPermissionForm')
    manage_addPermissionForm=Globals.DTMLFile('dtml/addPermission',globals())
+
+    security.declareProtected(define_permissions, 'manage_addPermission')
    def manage_addPermission(
        self, id, title, permission, REQUEST=None):
        ' '
@@ -89,3 +102,5 @@ class PermissionManager(ExtensionClass.Base):
        self._setObject(id,i)
        if REQUEST is not None:
            return self.manage_main(self,REQUEST,update_menu=1)
+
+Globals.InitializeClass(PermissionManager)
--- a/lib/python/App/Product.py
+++ b/lib/python/App/Product.py
@@ -77,6 +77,9 @@ class ProductFolder(Folder):
    def _canCopy(self, op=0):
        return 0

+Globals.InitializeClass(ProductFolder)
+
+
 class Product(Folder, PermissionManager):
    """Model a product that can be created through the web.
    """
@@ -412,6 +415,7 @@ class Product(Folder, PermissionManager):
        if REQUEST is not None:
            return self.manage_refresh(REQUEST)

+Globals.InitializeClass(Product)


 class CompressedOutputFile: