Fix serious authentication vulnerability in stock configuration.

5ca0575f · Tres Seaver · 2392ea48 · 5ca0575f · 5ca0575f · 5ca0575f
Commit 5ca0575f authored Oct 24, 2011 by Tres Seaver
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 3 deletions

doc/CHANGES.rst doc/CHANGES.rst +1 -0

src/OFS/tests/test_userfolder.py src/OFS/tests/test_userfolder.py +13 -3

src/OFS/userfolder.py src/OFS/userfolder.py +2 -0

No files found.
--- a/doc/CHANGES.rst
+++ b/doc/CHANGES.rst
@@ -8,6 +8,7 @@ http://docs.zope.org/zope2/releases/.
 2.13.11 (unreleased)
 --------------------

+- Fixed serious authentication vulnerability in stock configuration.

 2.13.10 (2011-10-04)
 --------------------

--- a/src/OFS/tests/test_userfolder.py
+++ b/src/OFS/tests/test_userfolder.py
@@ -17,7 +17,15 @@ import unittest
 # TODO class Test_readUserAccessFile(unittest.TestCase)


-# TODO class BasicUserFoldertests(unittest.TestCase)
+class BasicUserFolderTests(unittest.TestCase):
+ 
+    def _getTargetClass(self):
+        from OFS.userfolder import BasicUserFolder
+        return BasicUserFolder
+ 
+    def test_manage_users_security_initialized(self):
+        uf = self._getTargetClass()()
+        self.assertTrue(hasattr(uf, 'manage_users__roles__'))


 class UserFolderTests(unittest.TestCase):
@@ -171,6 +179,8 @@ class UserFolderTests(unittest.TestCase):


 def test_suite():
-    suite = unittest.TestSuite()
-    suite.addTest(unittest.makeSuite(UserFolderTests))
+    suite = unittest.TestSuite((
+        unittest.makeSuite(BasicUserFolderTests),
+        unittest.makeSuite(UserFolderTests),
+    ))
    return suite
--- a/src/OFS/userfolder.py
+++ b/src/OFS/userfolder.py
@@ -293,6 +293,8 @@ class BasicUserFolder(Navigation, Tabs, Item, RoleManager,
                message='Cannot change the id of a UserFolder',
                action='./manage_main'))

+InitializeClass(BasicUserFolder)
+

 class UserFolder(accesscontrol_userfolder.UserFolder, BasicUserFolder):
    """Standard UserFolder object