Commit 8bf68762 authored by Tres Seaver's avatar Tres Seaver

- Merge change for CMF Collector #259

parent ad3f8ae5
...@@ -144,6 +144,9 @@ Zope Changes ...@@ -144,6 +144,9 @@ Zope Changes
Bugs fixed Bugs fixed
- OFS.CopySupport: Enforced "Delete objects" permission during
move (CMF Collector #259).
- Removed DWIM'y attempt to filter acquired-but-not-aceessible - Removed DWIM'y attempt to filter acquired-but-not-aceessible
results from 'guarded_getattr'. results from 'guarded_getattr'.
......
...@@ -21,6 +21,7 @@ from zlib import compress, decompress ...@@ -21,6 +21,7 @@ from zlib import compress, decompress
from App.Dialogs import MessageDialog from App.Dialogs import MessageDialog
from AccessControl import getSecurityManager from AccessControl import getSecurityManager
from AccessControl.Permissions import delete_objects as DeleteObjects
from Acquisition import aq_base, aq_inner, aq_parent from Acquisition import aq_base, aq_inner, aq_parent
from zExceptions import Unauthorized, BadRequest from zExceptions import Unauthorized, BadRequest
from webdav.Lockable import ResourceLockedError from webdav.Lockable import ResourceLockedError
...@@ -152,7 +153,7 @@ class CopyContainer(ExtensionClass.Base): ...@@ -152,7 +153,7 @@ class CopyContainer(ExtensionClass.Base):
m = Moniker.loadMoniker(mdata) m = Moniker.loadMoniker(mdata)
try: ob = m.bind(app) try: ob = m.bind(app)
except: raise CopyError, eNotFound except: raise CopyError, eNotFound
self._verifyObjectPaste(ob) self._verifyObjectPaste(ob, validate_src=op+1)
oblist.append(ob) oblist.append(ob)
if op==0: if op==0:
...@@ -379,13 +380,23 @@ class CopyContainer(ExtensionClass.Base): ...@@ -379,13 +380,23 @@ class CopyContainer(ExtensionClass.Base):
action = 'manage_main') action = 'manage_main')
if validate_src: if validate_src:
sm = getSecurityManager()
# Ensure the user is allowed to access the object on the # Ensure the user is allowed to access the object on the
# clipboard. # clipboard.
try: parent = aq_parent(aq_inner(object)) try:
except: parent = None parent = aq_parent(aq_inner(object))
if not getSecurityManager().validate(None,parent,None,object): except:
parent = None
if not sm.validate(None,parent,None,object):
raise Unauthorized, absattr(object.id) raise Unauthorized, absattr(object.id)
if validate_src == 2: # moving
if not sm.checkPermission(DeleteObjects, parent):
raise Unauthorized, 'Delete not allowed.'
else: # /if method_name else: # /if method_name
raise CopyError, MessageDialog( raise CopyError, MessageDialog(
title = 'Not Supported', title = 'Not Supported',
......
This diff is collapsed.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment