- fixed permission check in ObjectManager

doc/CHANGES.rst

@@ -11,6 +11,8 @@ http://docs.zope.org/zope2/releases/.
 Bugs Fixed
 ++++++++++
 
+- OFS: Fixed permission check in ObjectManager.
+
 - webdav: Fixed permission check and error handling in DeleteCollection.
 
 - LP 686664: WebDAV Lock Manager ZMI view wasn't accessible.

src/OFS/ObjectManager.py

@@ -266,15 +266,15 @@ class ObjectManager(CopyContainer,
     def filtered_meta_types(self, user=None):
         # Return a list of the types for which the user has
         # adequate permission to add that type of object.
-        user=getSecurityManager().getUser()
-        meta_types=[]
+        sm = getSecurityManager()
+        meta_types = []
         if callable(self.all_meta_types):
-            all=self.all_meta_types()
+            all = self.all_meta_types()
         else:
-            all=self.all_meta_types
+            all = self.all_meta_types
         for meta_type in all:
             if meta_type.has_key('permission'):
-                if user.has_permission(meta_type['permission'],self):
+                if sm.checkPermission(meta_type['permission'], self):
                     meta_types.append(meta_type)
             else:
                 meta_types.append(meta_type)

src/OFS/tests/testObjectManager.py

 import unittest
 
-from zope.component.testing import PlacelessSetup
-from zope.interface import implements
-
 from AccessControl.owner import EmergencyUserCannotOwn
 from AccessControl.SecurityManagement import newSecurityManager
 from AccessControl.SecurityManagement import noSecurityManager
-from AccessControl.User import User # before SpecialUsers
+from AccessControl.SecurityManager import setSecurityPolicy
 from AccessControl.SpecialUsers import emergency_user, nobody, system
+from AccessControl.User import User # before SpecialUsers
 from Acquisition import aq_base
 from Acquisition import Implicit
 from App.config import getConfiguration
 from logging import getLogger
+from zExceptions import BadRequest
+from zope.component.testing import PlacelessSetup
+from zope.interface import implements
+from Zope2.App import zcml
+
 from OFS.interfaces import IItem
 from OFS.metaconfigure import setDeprecatedManageAddDelete
 from OFS.ObjectManager import ObjectManager
 from OFS.SimpleItem import SimpleItem
-from Zope2.App import zcml
-from zExceptions import BadRequest
 
 logger = getLogger('OFS.subscribers')
 
@@ -103,6 +104,26 @@ class ObjectManagerTests(PlacelessSetup, unittest.TestCase):
         verifyClass(IContainer, ObjectManager)
         verifyClass(IObjectManager, ObjectManager)
 
+    def test_filtered_meta_types(self):
+
+        class _DummySecurityPolicy(object):
+
+            def checkPermission(self, permission, object, context):
+                return permission == 'addFoo'
+
+        om = self._makeOne()
+        om.all_meta_types = ({'name': 'Foo', 'permission': 'addFoo'},
+                             {'name': 'Bar', 'permission': 'addBar'},
+                             {'name': 'Baz'})
+        try:
+            oldPolicy = setSecurityPolicy(_DummySecurityPolicy())
+            self.assertEqual(len(om.filtered_meta_types()), 2)
+            self.assertEqual(om.filtered_meta_types()[0]['name'], 'Foo')
+            self.assertEqual(om.filtered_meta_types()[1]['name'], 'Baz')
+        finally:
+            noSecurityManager()
+            setSecurityPolicy(oldPolicy)
+
     def test_setObject_set_owner_with_no_user( self ):
         om = self._makeOne()
         newSecurityManager( None, None )