Added an _unrestrictedGetObject method to catalog brains.

e62eb1f6 · Florent Guillaume · b034b352 · e62eb1f6 · e62eb1f6 · e62eb1f6
Commit e62eb1f6 authored Apr 22, 2005 by Florent Guillaume
3 changed files
--- a/doc/CHANGES.txt
+++ b/doc/CHANGES.txt
@@ -30,6 +30,9 @@ Zope Changes
      - Added lazy: TAL expression and fixed defer: expression for python
        expression

+      - ZCatalog.CatalogBrains: An _unrestrictedGetObject method has
+        been added.
+
    Bugs fixed
  
      - Collector #1754: Fixed import of 'transaction' in
@@ -59,7 +62,7 @@ Zope Changes
        cannot access (raising Unauthorized).  Sites which rely on the old
        behavior can restore setting a new zope.conf option,
        'catalog-getObject-raises', to "off".
-        
+
        This compatibility option will be removed in Zope 2.10.

      - PluginIndexes: the ZCatalog's "Indexes" tab now show the number of

--- a/lib/python/Products/ZCatalog/CatalogBrains.py
+++ b/lib/python/Products/ZCatalog/CatalogBrains.py
@@ -14,12 +14,10 @@
 __version__ = "$Revision$"[11:-2]

 import Acquisition, Record
-from zExceptions import NotFound
-from zExceptions import Unauthorized
 from ZODB.POSException import ConflictError

-# Switch for new behavior, raise NotFound instead of returning None.
-# Use 'catalog-getOb-raises off' in zope.conf to restore old behavior.
+# Switch for new behavior, raise exception instead of returning None.
+# Use 'catalog-getObject-raises off' in zope.conf to restore old behavior.
 GETOBJECT_RAISES = True

 class AbstractCatalogBrain(Record.Record, Acquisition.Implicit):
@@ -45,6 +43,20 @@ class AbstractCatalogBrain(Record.Record, Acquisition.Implicit):
        #     avoid bare except band-aids and find a real solution.
        return self.REQUEST.physicalPathToURL(self.getPath(), relative)

+    def _unrestrictedGetObject(self):
+        """Return the object for this record
+
+        Same as getObject, but does not do security checks.
+        """
+        try:
+            return self.aq_parent.unrestrictedTraverse(self.getPath())
+        except ConflictError:
+            raise
+        except:
+            if GETOBJECT_RAISES:
+                raise
+            return None
+
    def getObject(self, REQUEST=None):
        """Return the object for this record


--- a/lib/python/Products/ZCatalog/tests/testCatalog.py
+++ b/lib/python/Products/ZCatalog/tests/testCatalog.py
@@ -626,7 +626,7 @@ class TestZCatalogGetObject(unittest.TestCase):
        self.assertEqual(brain.getObject().getId(), 'ob')

    def test_getObject_missing_raises_NotFound(self):
-        # Check that if the object is missing None is returned
+        # Check that if the object is missing we raise
        from zExceptions import NotFound
        self._init_getObject_flag(True)
        root = self.root
@@ -699,6 +699,64 @@ class TestZCatalogGetObject(unittest.TestCase):
        self.failIf(ob is None)
        self.assertEqual(ob.getId(), 'ob')

+    # Now test _unrestrictedGetObject
+
+    def test_unrestrictedGetObject_found(self):
+        # Check normal traversal
+        root = self.root
+        catalog = root.catalog
+        root.ob = Folder('ob')
+        catalog.catalog_object(root.ob)
+        brain = catalog.searchResults()[0]
+        self.assertEqual(brain.getPath(), '/ob')
+        self.assertEqual(brain._unrestrictedGetObject().getId(), 'ob')
+
+    def test_unrestrictedGetObject_restricted(self):
+        # Check that if the object's security does not allow traversal,
+        # it's still is returned
+        root = self.root
+        catalog = root.catalog
+        root.fold = Folder('fold')
+        root.fold.ob = Folder('ob')
+        catalog.catalog_object(root.fold.ob)
+        brain = catalog.searchResults()[0]
+        # allow all accesses
+        pickySecurityManager = PickySecurityManager()
+        setSecurityManager(pickySecurityManager)
+        self.assertEqual(brain._unrestrictedGetObject().getId(), 'ob')
+        # disallow just 'ob' access
+        pickySecurityManager = PickySecurityManager(['ob'])
+        setSecurityManager(pickySecurityManager)
+        self.assertEqual(brain._unrestrictedGetObject().getId(), 'ob')
+        # disallow just 'fold' access
+        pickySecurityManager = PickySecurityManager(['fold'])
+        setSecurityManager(pickySecurityManager)
+        self.assertEqual(brain._unrestrictedGetObject().getId(), 'ob')
+
+    def test_unrestrictedGetObject_missing_raises_NotFound(self):
+        # Check that if the object is missing we raise
+        from zExceptions import NotFound
+        self._init_getObject_flag(True)
+        root = self.root
+        catalog = root.catalog
+        root.ob = Folder('ob')
+        catalog.catalog_object(root.ob)
+        brain = catalog.searchResults()[0]
+        del root.ob
+        self.assertRaises((NotFound, AttributeError, KeyError),
+                          brain._unrestrictedGetObject)
+
+    def test_unrestrictedGetObject_missing_returns_None(self):
+        # Check that if the object is missing None is returned
+        self._init_getObject_flag(False)
+        root = self.root
+        catalog = root.catalog
+        root.ob = Folder('ob')
+        catalog.catalog_object(root.ob)
+        brain = catalog.searchResults()[0]
+        del root.ob
+        self.assertEqual(brain._unrestrictedGetObject(), None)
+

 def test_suite():
    suite = unittest.TestSuite()