Commit d499c14e authored by Tres Seaver's avatar Tres Seaver

Make ObjectManager's ``get`` and ``__getitem__`` return only "items".

No longer return attributes / methods from the class or from acquisition.
Thanks to Richard Mitchell at Netsight for the report.
parent 0a3e94f7
...@@ -8,6 +8,10 @@ http://docs.zope.org/zope2/releases/. ...@@ -8,6 +8,10 @@ http://docs.zope.org/zope2/releases/.
2.13.13 (unreleased) 2.13.13 (unreleased)
-------------------- --------------------
- Ensure that ObjectManager's ``get`` and ``__getitem__`` methods return only
"items" (no attributes / methods from the class or from acquisition).
Thanks to Richard Mitchell at Netsight for the report.
- Updated to Zope Toolkit 1.0.6. - Updated to Zope Toolkit 1.0.6.
- Removed HTML tags from exception text of ``Unauthorized`` exception - Removed HTML tags from exception text of ``Unauthorized`` exception
......
...@@ -22,6 +22,7 @@ import marshal ...@@ -22,6 +22,7 @@ import marshal
import os import os
import re import re
import sys import sys
from types import NoneType
from AccessControl import ClassSecurityInfo from AccessControl import ClassSecurityInfo
from AccessControl.class_init import InitializeClass from AccessControl.class_init import InitializeClass
...@@ -765,12 +766,13 @@ class ObjectManager(CopyContainer, ...@@ -765,12 +766,13 @@ class ObjectManager(CopyContainer,
return self.manage_delObjects(ids=[name]) return self.manage_delObjects(ids=[name])
def __getitem__(self, key): def __getitem__(self, key):
v=self._getOb(key, None) if key in self:
if v is not None: return v return self._getOb(key, None)
if hasattr(self, 'REQUEST'): request = getattr(self, 'REQUEST', None)
request=self.REQUEST if not isinstance(request, (str, NoneType)):
method=request.get('REQUEST_METHOD', 'GET') method=request.get('REQUEST_METHOD', 'GET')
if request.maybe_webdav_client and not method in ('GET', 'POST'): if (request.maybe_webdav_client and
method not in ('GET', 'POST')):
return NullResource(self, key, request).__of__(self) return NullResource(self, key, request).__of__(self)
raise KeyError, key raise KeyError, key
...@@ -791,7 +793,9 @@ class ObjectManager(CopyContainer, ...@@ -791,7 +793,9 @@ class ObjectManager(CopyContainer,
security.declareProtected(access_contents_information, 'get') security.declareProtected(access_contents_information, 'get')
def get(self, key, default=None): def get(self, key, default=None):
return self._getOb(key, default) if key in self:
return self._getOb(key, default)
return default
security.declareProtected(access_contents_information, 'keys') security.declareProtected(access_contents_information, 'keys')
def keys(self): def keys(self):
......
...@@ -57,6 +57,7 @@ class ApplicationTests(unittest.TestCase): ...@@ -57,6 +57,7 @@ class ApplicationTests(unittest.TestCase):
def test___bobo_traverse__attribute_miss_key_hit(self): def test___bobo_traverse__attribute_miss_key_hit(self):
app = self._makeOne() app = self._makeOne()
app._getOb = lambda x, y: x app._getOb = lambda x, y: x
app._objects = [{'id': 'OTHER', 'meta_type': None}]
request = {} request = {}
self.assertEqual(app.__bobo_traverse__(request, 'OTHER'), 'OTHER') self.assertEqual(app.__bobo_traverse__(request, 'OTHER'), 'OTHER')
......
...@@ -412,6 +412,22 @@ class ObjectManagerTests(PlacelessSetup, unittest.TestCase): ...@@ -412,6 +412,22 @@ class ObjectManagerTests(PlacelessSetup, unittest.TestCase):
om = self._makeOne() om = self._makeOne()
self.assertTrue(om) self.assertTrue(om)
def test___getitem___miss(self):
om = self._makeOne()
self.assertRaises(KeyError, om.__getitem__, 'nonesuch')
def test___getitem___miss_w_non_instance_attr(self):
om = self._makeOne()
self.assertRaises(KeyError, om.__getitem__, 'get')
def test___getitem___hit(self):
om = self._makeOne()
si1 = SimpleItem('1')
om['1'] = si1
got = om['1']
self.assertTrue(got.aq_self is si1)
self.assertTrue(got.aq_parent is om)
def test_get_miss_wo_default(self): def test_get_miss_wo_default(self):
om = self._makeOne() om = self._makeOne()
self.assertEqual(om.get('nonesuch'), None) self.assertEqual(om.get('nonesuch'), None)
...@@ -421,6 +437,10 @@ class ObjectManagerTests(PlacelessSetup, unittest.TestCase): ...@@ -421,6 +437,10 @@ class ObjectManagerTests(PlacelessSetup, unittest.TestCase):
obj = object() obj = object()
self.assertTrue(om.get('nonesuch', obj) is obj) self.assertTrue(om.get('nonesuch', obj) is obj)
def test_get_miss_w_non_instance_attr(self):
om = self._makeOne()
self.assertEqual(om.get('get'), None)
def test_get_hit(self): def test_get_hit(self):
om = self._makeOne() om = self._makeOne()
si1 = SimpleItem('1') si1 = SimpleItem('1')
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment