Log message for revision 124394: Make ObjectManager's ``get`` and ``__getitem__`` return only "items". No longer return attributes / methods from the class or from acquisition. Thanks to Richard Mitchell at Netsight for the report.
Changed: U Zope/branches/2.13/doc/CHANGES.rst U Zope/branches/2.13/src/OFS/ObjectManager.py U Zope/branches/2.13/src/OFS/tests/testApplication.py U Zope/branches/2.13/src/OFS/tests/testObjectManager.py -=- Modified: Zope/branches/2.13/doc/CHANGES.rst =================================================================== --- Zope/branches/2.13/doc/CHANGES.rst 2012-02-14 19:03:27 UTC (rev 124393) +++ Zope/branches/2.13/doc/CHANGES.rst 2012-02-14 19:04:05 UTC (rev 124394) @@ -8,6 +8,10 @@ 2.13.13 (unreleased) -------------------- +- Ensure that ObjectManager's ``get`` and ``__getitem__`` methods return only + "items" (no attributes / methods from the class or from acquisition). + Thanks to Richard Mitchell at Netsight for the report. + - Updated to Zope Toolkit 1.0.6. - Removed HTML tags from exception text of ``Unauthorized`` exception Modified: Zope/branches/2.13/src/OFS/ObjectManager.py =================================================================== --- Zope/branches/2.13/src/OFS/ObjectManager.py 2012-02-14 19:03:27 UTC (rev 124393) +++ Zope/branches/2.13/src/OFS/ObjectManager.py 2012-02-14 19:04:05 UTC (rev 124394) @@ -22,6 +22,7 @@ import os import re import sys +from types import NoneType from AccessControl import ClassSecurityInfo from AccessControl.class_init import InitializeClass @@ -765,12 +766,13 @@ return self.manage_delObjects(ids=[name]) def __getitem__(self, key): - v=self._getOb(key, None) - if v is not None: return v - if hasattr(self, 'REQUEST'): - request=self.REQUEST + if key in self: + return self._getOb(key, None) + request = getattr(self, 'REQUEST', None) + if not isinstance(request, (str, NoneType)): method=request.get('REQUEST_METHOD', 'GET') - if request.maybe_webdav_client and not method in ('GET', 'POST'): + if (request.maybe_webdav_client and + method not in ('GET', 'POST')): return NullResource(self, key, request).__of__(self) raise KeyError, key @@ -791,7 +793,9 @@ security.declareProtected(access_contents_information, 'get') def get(self, key, default=None): - return self._getOb(key, default) + if key in self: + return self._getOb(key, default) + return default security.declareProtected(access_contents_information, 'keys') def keys(self): Modified: Zope/branches/2.13/src/OFS/tests/testApplication.py =================================================================== --- Zope/branches/2.13/src/OFS/tests/testApplication.py 2012-02-14 19:03:27 UTC (rev 124393) +++ Zope/branches/2.13/src/OFS/tests/testApplication.py 2012-02-14 19:04:05 UTC (rev 124394) @@ -57,6 +57,7 @@ def test___bobo_traverse__attribute_miss_key_hit(self): app = self._makeOne() app._getOb = lambda x, y: x + app._objects = [{'id': 'OTHER', 'meta_type': None}] request = {} self.assertEqual(app.__bobo_traverse__(request, 'OTHER'), 'OTHER') Modified: Zope/branches/2.13/src/OFS/tests/testObjectManager.py =================================================================== --- Zope/branches/2.13/src/OFS/tests/testObjectManager.py 2012-02-14 19:03:27 UTC (rev 124393) +++ Zope/branches/2.13/src/OFS/tests/testObjectManager.py 2012-02-14 19:04:05 UTC (rev 124394) @@ -412,6 +412,22 @@ om = self._makeOne() self.assertTrue(om) + def test___getitem___miss(self): + om = self._makeOne() + self.assertRaises(KeyError, om.__getitem__, 'nonesuch') + + def test___getitem___miss_w_non_instance_attr(self): + om = self._makeOne() + self.assertRaises(KeyError, om.__getitem__, 'get') + + def test___getitem___hit(self): + om = self._makeOne() + si1 = SimpleItem('1') + om['1'] = si1 + got = om['1'] + self.assertTrue(got.aq_self is si1) + self.assertTrue(got.aq_parent is om) + def test_get_miss_wo_default(self): om = self._makeOne() self.assertEqual(om.get('nonesuch'), None) @@ -421,6 +437,10 @@ obj = object() self.assertTrue(om.get('nonesuch', obj) is obj) + def test_get_miss_w_non_instance_attr(self): + om = self._makeOne() + self.assertEqual(om.get('get'), None) + def test_get_hit(self): om = self._makeOne() si1 = SimpleItem('1') _______________________________________________ Zope-Checkins maillist - Zope-Checkins@zope.org https://mail.zope.org/mailman/listinfo/zope-checkins