def verifyAcquisitionContext(user, object, object_roles=None):
"""Mimics the relevant section of User.allowed().
Returns true if the object is in the context of the user's user folder.
"""
ufolder = aq_parent(user)
ucontext = aq_parent(ufolder)
if ucontext is not None:
if object is None:
# This is a strange rule, though
# it doesn't cause any security holes. SDH
return 1
if hasattr(object, 'im_self'):
# This is a method. Grab its self.
object = object.im_self
if not aq_inContextOf(object, ucontext, 1):
if 'Shared' in object_roles:
# Old role setting. Waaa
object_roles = user._shared_roles(object)
if 'Anonymous' in object_roles:
return 1
return None
# Note that if the user were not wrapped, it would
# not be possible to determine the user's context
# and this method would return 1.
# However, as long as user folders always return
# wrapped user objects, this is safe.
return 1
def verifyAcquisitionContext(user, object, object_roles=None):
"""Mimics the relevant section of User.allowed().
Returns true if the object is in the context of the user's user folder.
"""
ufolder = aq_parent(user)
ucontext = aq_parent(ufolder)
if ucontext is not None:
if object is None:
# This is a strange rule, though
# it doesn't cause any security holes. SDH
return 1
if getattr(object, '__self__', None) is not None:
# This is a method. Grab its self.
object = object.__self__
if not aq_inContextOf(object, ucontext, 1):
if 'Shared' in object_roles:
# Old role setting. Waaa
object_roles = user._shared_roles(object)
if 'Anonymous' in object_roles:
return 1
return None
# Note that if the user were not wrapped, it would
# not be possible to determine the user's context
# and this method would return 1.
# However, as long as user folders always return
# wrapped user objects, this is safe.
return 1
def _check_context(self, object):
# Check that 'object' exists in the acquisition context of
# the parent of the acl_users object containing this user,
# to prevent "stealing" access through acquisition tricks.
# Return true if in context, false if not or if context
# cannot be determined (object is not wrapped).
context = getattr(
getattr(self, '__parent__', None),
'__parent__',
None,
)
if context is None or object is None:
return 1
return aq_inContextOf(getattr(object, '__self__', object), context, 1)
def _check_context(self, object):
# Check that 'object' exists in the acquisition context of
# the parent of the acl_users object containing this user,
# to prevent "stealing" access through acquisition tricks.
# Return true if in context, false if not or if context
# cannot be determined (object is not wrapped).
parent = getattr(self, '__parent__', None)
context = getattr(parent, '__parent__', None)
if context is not None:
if object is None:
return 1
if hasattr(object, 'im_self'):
# This is a method. Grab its self.
object = object.im_self
return aq_inContextOf(object, context, 1)
# This is lame, but required to keep existing behavior.
return 1
def _check_context(self, object):
# Check that 'object' exists in the acquisition context of
# the parent of the acl_users object containing this user,
# to prevent "stealing" access through acquisition tricks.
# Return true if in context, false if not or if context
# cannot be determined (object is not wrapped).
parent = getattr(self, '__parent__', None)
context = getattr(parent, '__parent__', None)
if context is not None:
if object is None:
return 1
if hasattr(object, 'im_self'):
# This is a method. Grab its self.
object = object.im_self
return aq_inContextOf(object, context, 1)
# This is lame, but required to keep existing behavior.
return 1
