[Zope-Checkins] CVS: Zope/lib/python/App - Permission.py:1.9 Product.py:1.62
Shane Hathaway
shane@zope.com
Wed, 28 May 2003 10:51:43 -0400
Update of /cvs-repository/Zope/lib/python/App
In directory cvs.zope.org:/tmp/cvs-serv3087/App
Modified Files:
Permission.py Product.py
Log Message:
Merge from 2_6 branch.
Jamie Heilman discovered it was possible for anonymous users to add
ZClass permission objects. The newly created permission objects had
no real effect on security, but anonymous users should not be able to
do this anyway, so this patch fixes the bug.
The problem was that PermissionManager never got initiatized. While I
was here, I took the opportunity to initialize other classes as well,
update the security declaration style, and apply the 'Define
permissions' permission.
=== Zope/lib/python/App/Permission.py 1.8 => 1.9 ===
--- Zope/lib/python/App/Permission.py:1.8 Wed Aug 14 17:31:40 2002
+++ Zope/lib/python/App/Permission.py Wed May 28 10:51:12 2003
@@ -16,6 +16,11 @@
__version__='$Revision$'[11:-2]
import OFS.SimpleItem, Acquisition, Globals, ExtensionClass, AccessControl.Role
+from AccessControl import ClassSecurityInfo, Permissions
+
+view_management_screens = Permissions.view_management_screens
+define_permissions = Permissions.define_permissions
+
class Permission(
AccessControl.Role.RoleManager,
@@ -24,6 +29,7 @@
"Model Permission meta-data"
meta_type='Zope Permission'
icon='p_/Permission_icon'
+ security = ClassSecurityInfo()
manage_options=(
(
@@ -39,6 +45,7 @@
self.title=title
self.name=name
+ security.declareProtected(define_permissions, 'manage_edit')
def manage_edit(self, title, name, REQUEST=None):
"Modify Permission properties."
if title != self.title: self.title=title
@@ -48,9 +55,11 @@
self._register()
if REQUEST is not None: return self.manage_main(self, REQUEST)
+ security.declarePrivate('manage_afterAdd')
def manage_afterAdd(self, item, container):
self._register()
+ security.declarePrivate('manage_beforeDelete')
def manage_beforeDelete(self, item, container):
self._unregister()
@@ -66,22 +75,26 @@
product.aq_acquire('_manage_remove_product_permission')(
product, self.name)
+ security.declareProtected(view_management_screens, 'manage_main')
manage_main=Globals.DTMLFile('dtml/editPermission',globals())
index_html=None
+Globals.InitializeClass(Permission)
+
+
class PermissionManager(ExtensionClass.Base):
- __ac_permissions__=(
- ('Define permissions',
- ('manage_addPermissionForm', 'manage_addPermission')),
- )
+ security = ClassSecurityInfo()
meta_types={
'name': Permission.meta_type, 'action': 'manage_addPermissionForm'
},
+ security.declareProtected(define_permissions, 'manage_addPermissionForm')
manage_addPermissionForm=Globals.DTMLFile('dtml/addPermission',globals())
+
+ security.declareProtected(define_permissions, 'manage_addPermission')
def manage_addPermission(
self, id, title, permission, REQUEST=None):
' '
@@ -89,3 +102,5 @@
self._setObject(id,i)
if REQUEST is not None:
return self.manage_main(self,REQUEST,update_menu=1)
+
+Globals.InitializeClass(PermissionManager)
=== Zope/lib/python/App/Product.py 1.61 => 1.62 ===
--- Zope/lib/python/App/Product.py:1.61 Wed May 14 10:43:44 2003
+++ Zope/lib/python/App/Product.py Wed May 28 10:51:12 2003
@@ -77,6 +77,9 @@
def _canCopy(self, op=0):
return 0
+Globals.InitializeClass(ProductFolder)
+
+
class Product(Folder, PermissionManager):
"""Model a product that can be created through the web.
"""
@@ -412,6 +415,7 @@
if REQUEST is not None:
return self.manage_refresh(REQUEST)
+Globals.InitializeClass(Product)
class CompressedOutputFile: