def verifyAcquisitionContext(user, object, object_roles=None): """Mimics the relevant section of User.allowed(). Returns true if the object is in the context of the user's user folder. """ ufolder = aq_parent(user) ucontext = aq_parent(ufolder) if ucontext is not None: if object is None: # This is a strange rule, though # it doesn't cause any security holes. SDH return 1 if hasattr(object, 'im_self'): # This is a method. Grab its self. object = object.im_self if not aq_inContextOf(object, ucontext, 1): if 'Shared' in object_roles: # Old role setting. Waaa object_roles = user._shared_roles(object) if 'Anonymous' in object_roles: return 1 return None # Note that if the user were not wrapped, it would # not be possible to determine the user's context # and this method would return 1. # However, as long as user folders always return # wrapped user objects, this is safe. return 1
def verifyAcquisitionContext(user, object, object_roles=None): """Mimics the relevant section of User.allowed(). Returns true if the object is in the context of the user's user folder. """ ufolder = aq_parent(user) ucontext = aq_parent(ufolder) if ucontext is not None: if object is None: # This is a strange rule, though # it doesn't cause any security holes. SDH return 1 if getattr(object, '__self__', None) is not None: # This is a method. Grab its self. object = object.__self__ if not aq_inContextOf(object, ucontext, 1): if 'Shared' in object_roles: # Old role setting. Waaa object_roles = user._shared_roles(object) if 'Anonymous' in object_roles: return 1 return None # Note that if the user were not wrapped, it would # not be possible to determine the user's context # and this method would return 1. # However, as long as user folders always return # wrapped user objects, this is safe. return 1
def _check_context(self, object): # Check that 'object' exists in the acquisition context of # the parent of the acl_users object containing this user, # to prevent "stealing" access through acquisition tricks. # Return true if in context, false if not or if context # cannot be determined (object is not wrapped). context = getattr( getattr(self, '__parent__', None), '__parent__', None, ) if context is None or object is None: return 1 return aq_inContextOf(getattr(object, '__self__', object), context, 1)
def _check_context(self, object): # Check that 'object' exists in the acquisition context of # the parent of the acl_users object containing this user, # to prevent "stealing" access through acquisition tricks. # Return true if in context, false if not or if context # cannot be determined (object is not wrapped). parent = getattr(self, '__parent__', None) context = getattr(parent, '__parent__', None) if context is not None: if object is None: return 1 if hasattr(object, 'im_self'): # This is a method. Grab its self. object = object.im_self return aq_inContextOf(object, context, 1) # This is lame, but required to keep existing behavior. return 1
def _check_context(self, object): # Check that 'object' exists in the acquisition context of # the parent of the acl_users object containing this user, # to prevent "stealing" access through acquisition tricks. # Return true if in context, false if not or if context # cannot be determined (object is not wrapped). parent = getattr(self, '__parent__', None) context = getattr(parent, '__parent__', None) if context is not None: if object is None: return 1 if hasattr(object, 'im_self'): # This is a method. Grab its self. object = object.im_self return aq_inContextOf(object, context, 1) # This is lame, but required to keep existing behavior. return 1