Commit 52193d9b authored by Shane Hathaway's avatar Shane Hathaway

Finished fix for collector #558. restrictedTraverse() was not providing

adequate context for the security manager, resulting in excessive Unauthorized
errors.  The previous fix corrected traversal using __bobo_traverse__();
this fix corrects traversal using getattr().  The problem was solved by
simply making use of AccessControl.ZopeGuards.guarded_getattr().
parent f97d3008
...@@ -12,13 +12,14 @@ ...@@ -12,13 +12,14 @@
############################################################################## ##############################################################################
'''This module implements a mix-in for traversable objects. '''This module implements a mix-in for traversable objects.
$Id: Traversable.py,v 1.16 2002/09/12 21:20:52 shane Exp $''' $Id: Traversable.py,v 1.17 2002/09/18 15:48:59 shane Exp $'''
__version__='$Revision: 1.16 $'[11:-2] __version__='$Revision: 1.17 $'[11:-2]
from Acquisition import Acquired, aq_inner, aq_parent, aq_base from Acquisition import Acquired, aq_inner, aq_parent, aq_base
from AccessControl import getSecurityManager from AccessControl import getSecurityManager
from AccessControl import Unauthorized from AccessControl import Unauthorized
from AccessControl.ZopeGuards import guarded_getattr
from urllib import quote from urllib import quote
_marker=[] _marker=[]
...@@ -134,21 +135,11 @@ class Traversable: ...@@ -134,21 +135,11 @@ class Traversable:
raise Unauthorized, name raise Unauthorized, name
else: else:
o=get(object, name, M)
if o is not M:
if restricted: if restricted:
# waaaa o = guarded_getattr(object, name, M)
if hasattr(aq_base(object), name):
# value wasn't acquired
if not securityManager.validate(
object, object, name, o):
raise Unauthorized, name
else:
if not securityManager.validate(
object, N, name, o):
raise Unauthorized, name
else: else:
o = get(object, name, M)
if o is M:
o=object[name] o=object[name]
if (restricted and not securityManager.validate( if (restricted and not securityManager.validate(
object, object, N, o)): object, object, N, o)):
......
...@@ -17,7 +17,7 @@ Page Template-specific implementation of TALES, with handlers ...@@ -17,7 +17,7 @@ Page Template-specific implementation of TALES, with handlers
for Python expressions, string literals, and paths. for Python expressions, string literals, and paths.
""" """
__version__='$Revision: 1.38 $'[11:-2] __version__='$Revision: 1.39 $'[11:-2]
import re, sys import re, sys
from TALES import Engine, CompilerError, _valid_name, NAME_RE, \ from TALES import Engine, CompilerError, _valid_name, NAME_RE, \
...@@ -47,6 +47,7 @@ def installHandlers(engine): ...@@ -47,6 +47,7 @@ def installHandlers(engine):
if sys.modules.has_key('Zope'): if sys.modules.has_key('Zope'):
import AccessControl import AccessControl
from AccessControl import getSecurityManager from AccessControl import getSecurityManager
from AccessControl.ZopeGuards import guarded_getattr
try: try:
from AccessControl import Unauthorized from AccessControl import Unauthorized
except ImportError: except ImportError:
...@@ -59,6 +60,7 @@ if sys.modules.has_key('Zope'): ...@@ -59,6 +60,7 @@ if sys.modules.has_key('Zope'):
call_with_ns call_with_ns
else: else:
from PythonExpr import getSecurityManager, PythonExpr from PythonExpr import getSecurityManager, PythonExpr
guarded_getattr = getattr
try: try:
from zExceptions import Unauthorized from zExceptions import Unauthorized
except ImportError: except ImportError:
...@@ -331,16 +333,8 @@ def restrictedTraverse(self, path, securityManager, ...@@ -331,16 +333,8 @@ def restrictedTraverse(self, path, securityManager,
raise Unauthorized, name raise Unauthorized, name
else: else:
# Try an attribute. # Try an attribute.
o = get(object, name, M) o = guarded_getattr(object, name, M)
if o is not M: if o is M:
# Check access to the attribute.
if has(object, 'aq_acquire'):
object.aq_acquire(
name, validate2, validate)
else:
if not validate(object, object, name, o):
raise Unauthorized, name
else:
# Try an item. # Try an item.
try: try:
# XXX maybe in Python 2.2 we can just check whether # XXX maybe in Python 2.2 we can just check whether
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment