Make ObjectManager's ``get`` and ``__getitem__`` return only "items".

No longer return attributes / methods from the class or from acquisition.
Thanks to Richard Mitchell at Netsight for the report.

doc/CHANGES.rst

@@ -8,6 +8,10 @@ http://docs.zope.org/zope2/releases/.
 2.12.23 (unreleased)
 --------------------
 
+- Ensure that ObjectManager's ``get`` and ``__getitem__`` methods return only
+  "items" (no attributes / methods from the class or from acquisition).
+  Thanks to Richard Mitchell at Netsight for the report.
+
 - Note end-of-life timeline: Zope 2.12.x is now in security-fix-only mode and
   will continue to see security updates until October 2013, the same as Python
   2.6.x does.

src/OFS/ObjectManager.py

@@ -24,6 +24,7 @@ import marshal
 import os
 import re
 import sys
+from types import NoneType
 
 from AccessControl import ClassSecurityInfo
 from AccessControl.Permissions import view_management_screens
@@ -775,12 +776,13 @@ class ObjectManager(CopyContainer,
         return self.manage_delObjects(ids=[name])
 
     def __getitem__(self, key):
-        v=self._getOb(key, None)
-        if v is not None: return v
-        if hasattr(self, 'REQUEST'):
-            request=self.REQUEST
+        if key in self:
+            return self._getOb(key, None)
+        request = getattr(self, 'REQUEST', None)
+        if not isinstance(request, (str, NoneType)):
             method=request.get('REQUEST_METHOD', 'GET')
-            if request.maybe_webdav_client and not method in ('GET', 'POST'):
+            if (request.maybe_webdav_client and
+                method not in ('GET', 'POST')):
                 return NullResource(self, key, request).__of__(self)
         raise KeyError, key
 
@@ -801,7 +803,9 @@ class ObjectManager(CopyContainer,
 
     security.declareProtected(access_contents_information, 'get')
     def get(self, key, default=None):
-        return self._getOb(key, default)
+        if key in self:
+            return self._getOb(key, default)
+        return default
 
     security.declareProtected(access_contents_information, 'keys')
     def keys(self):

src/OFS/tests/testApplication.py

@@ -57,6 +57,7 @@ class ApplicationTests(unittest.TestCase):
     def test___bobo_traverse__attribute_miss_key_hit(self):
         app = self._makeOne()
         app._getOb = lambda x, y: x
+        app._objects = [{'id': 'OTHER', 'meta_type': None}]
         request = {}
         self.assertEqual(app.__bobo_traverse__(request, 'OTHER'), 'OTHER')
 

src/OFS/tests/testObjectManager.py

@@ -387,6 +387,22 @@ class ObjectManagerTests(PlacelessSetup, unittest.TestCase):
         om = self._makeOne()
         self.failUnless(om)
 
+    def test___getitem___miss(self):
+        om = self._makeOne()
+        self.assertRaises(KeyError, om.__getitem__, 'nonesuch')
+
+    def test___getitem___miss_w_non_instance_attr(self):
+        om = self._makeOne()
+        self.assertRaises(KeyError, om.__getitem__, 'get')
+
+    def test___getitem___hit(self):
+        om = self._makeOne()
+        si1 = SimpleItem('1')
+        om['1'] = si1
+        got = om['1']
+        self.failUnless(got.aq_self is si1)
+        self.failUnless(got.aq_parent is om)
+
     def test_get_miss_wo_default(self):
         om = self._makeOne()
         self.assertEqual(om.get('nonesuch'), None)
@@ -396,6 +412,10 @@ class ObjectManagerTests(PlacelessSetup, unittest.TestCase):
         obj = object()
         self.failUnless(om.get('nonesuch', obj) is obj)
 
+    def test_get_miss_w_non_instance_attr(self):
+        om = self._makeOne()
+        self.assertEqual(om.get('get'), None)
+
     def test_get_hit(self):
         om = self._makeOne()
         si1 = SimpleItem('1')