[fc] Repository: plone.dexterity

Branch: refs/heads/master Date: 2015-07-28T00:06:12+02:00 Author: Roel Bruggink (jaroel) <roel@jaroel.nl> Commit: plone/plone.dexterity@c64e737 Check add_permission. Files changed: M CHANGES.rst M plone/dexterity/content.py Repository: plone.dexterity Branch: refs/heads/master Date: 2015-07-28T10:50:10+02:00 Author: Jens W. Klein (jensens) <jk@kleinundpartner.at> Commit: plone/plone.dexterity@1b75485 Merge pull request #38 from plone/37-check-permission-before-invokefactory Check add_permission before checking type constrains Files changed: M CHANGES.rst M plone/dexterity/content.py
plone · Jul 28, 2015 · a796702 · a796702
1 parent 118d95e
commit a796702
Showing 1 changed file with 57 additions and 79 deletions.
diff --git a/last_commit.txt b/last_commit.txt
@@ -1,118 +1,96 @@
-Repository: plone.app.content
+Repository: plone.dexterity
 
 
 Branch: refs/heads/master
-Date: 2015-07-27T18:52:58+02:00
-Author: Jens W. Klein (jensens) <jk@kleinundpartner.at>
-Commit: https://github.com/plone/plone.app.content/commit/e4868229cb12d610b389c1117e7cfa2a24be14c5
+Date: 2015-07-28T00:06:12+02:00
+Author: Roel Bruggink (jaroel) <roel@jaroel.nl>
+Commit: https://github.com/plone/plone.dexterity/commit/c64e7379b592a6ebed9f61dcec7e29ed83c650a9
 
-Do not setDefaultPage in rename handler, there is already an subscriber doing so in Products.CMFDynamicViewFTI.
+Check add_permission.
 
 Files changed:
 M CHANGES.rst
-M plone/app/content/browser/actions.py
+M plone/dexterity/content.py
 
 diff --git a/CHANGES.rst b/CHANGES.rst
-index dc2081b..702be62 100644
+index 3a8eb6a..85132ff 100644
 --- a/CHANGES.rst
 +++ b/CHANGES.rst
-@@ -4,6 +4,10 @@ Changelog
- 3.0.8 (unreleased)
+@@ -4,6 +4,9 @@ Changelog
+ 2.3.3 (unreleased)
  ------------------
 
-+- Do not setDefaultPage in rename handler, there is already an subscriber that
-+  do so in `Products.CMFDynamicViewFTI`.
-+  [jensens]
++- Check add_permission before checking constrains. Refs #37
++  [jaroel]
 +
- - Do not clear clipboard when pasting content
-   [vangheem]
+ - Remove obsolete css-class and text from statusmessages.
+   [pbauer]
 
-diff --git a/plone/app/content/browser/actions.py b/plone/app/content/browser/actions.py
-index 30d130e..0c1f94e 100644
---- a/plone/app/content/browser/actions.py
-+++ b/plone/app/content/browser/actions.py
-@@ -143,13 +143,18 @@ def handle_rename(self, action):
-         newid = data['new_id']
-         newid = INameChooser(parent).chooseName(newid, self.context)
+diff --git a/plone/dexterity/content.py b/plone/dexterity/content.py
+index 59e97c8..feff70e 100644
+--- a/plone/dexterity/content.py
++++ b/plone/dexterity/content.py
+@@ -726,6 +726,12 @@ def invokeFactory(self, type_name, id, RESPONSE=None, *args, **kw):
+         constrains = IConstrainTypes(self, None)
 
--        context_state = getMultiAdapter(
--            (self.context, self.request), name='plone_context_state')
--        if context_state.is_default_page():
--            parent.setDefaultPage(newid)
-         # Requires cmf.ModifyPortalContent permission
-         self.context.title = data['new_title']
-+
-         # Requires zope2.CopyOrMove permission
+         if constrains:
++            # Do permission check before constrain checking so we'll get
++            # an Unauthorized over a ValueError.
++            fti = queryUtility(ITypeInformation, name=type_name)
++            if fti is not None and not fti.isConstructionAllowed(self):
++                raise Unauthorized('Cannot create %s' % fti.getId())
 +
-+        # manage_renameObjects fires 3 events:
-+        # 1. ObjectWillBeMovedEvent before anything happens
-+        # 2. ObjectMovedEvent directly after rename
-+        # 3. zope.container.contained.notifyContainerModified directly after 2
-+        # for 2+3 there are subscribers in Products.CMFDynamicViewFTI
-+        # responsible to change (2) or unset (3) the default_page.
-+
-         parent.manage_renameObjects([oldid, ], [str(newid), ])
-
-         transaction.savepoint(optimistic=True)
+             allowed_ids = [
+                 fti.getId() for fti in constrains.allowedContentTypes()
+             ]
 
 
-Repository: plone.app.content
+Repository: plone.dexterity
 
 
 Branch: refs/heads/master
-Date: 2015-07-27T19:41:42+02:00
-Author: Philip Bauer (pbauer) <bauer@starzel.de>
-Commit: https://github.com/plone/plone.app.content/commit/84781e35678e1e539b216e3fc5375f1ba4cecf80
+Date: 2015-07-28T10:50:10+02:00
+Author: Jens W. Klein (jensens) <jk@kleinundpartner.at>
+Commit: https://github.com/plone/plone.dexterity/commit/1b75485c7873c79970c6d125063a59aed710c7ff
 
-Merge pull request #46 from plone/clean-setDefaultPage
+Merge pull request #38 from plone/37-check-permission-before-invokefactory
 
-Do not setDefaultPage in rename handler, there is already an subscrib…
+Check add_permission before checking type constrains
 
 Files changed:
 M CHANGES.rst
-M plone/app/content/browser/actions.py
+M plone/dexterity/content.py
 
 diff --git a/CHANGES.rst b/CHANGES.rst
-index dc2081b..702be62 100644
+index 3a8eb6a..85132ff 100644
 --- a/CHANGES.rst
 +++ b/CHANGES.rst
-@@ -4,6 +4,10 @@ Changelog
- 3.0.8 (unreleased)
+@@ -4,6 +4,9 @@ Changelog
+ 2.3.3 (unreleased)
  ------------------
 
-+- Do not setDefaultPage in rename handler, there is already an subscriber that
-+  do so in `Products.CMFDynamicViewFTI`.
-+  [jensens]
++- Check add_permission before checking constrains. Refs #37
++  [jaroel]
 +
- - Do not clear clipboard when pasting content
-   [vangheem]
+ - Remove obsolete css-class and text from statusmessages.
+   [pbauer]
 
-diff --git a/plone/app/content/browser/actions.py b/plone/app/content/browser/actions.py
-index 30d130e..0c1f94e 100644
---- a/plone/app/content/browser/actions.py
-+++ b/plone/app/content/browser/actions.py
-@@ -143,13 +143,18 @@ def handle_rename(self, action):
-         newid = data['new_id']
-         newid = INameChooser(parent).chooseName(newid, self.context)
+diff --git a/plone/dexterity/content.py b/plone/dexterity/content.py
+index 59e97c8..feff70e 100644
+--- a/plone/dexterity/content.py
++++ b/plone/dexterity/content.py
+@@ -726,6 +726,12 @@ def invokeFactory(self, type_name, id, RESPONSE=None, *args, **kw):
+         constrains = IConstrainTypes(self, None)
 
--        context_state = getMultiAdapter(
--            (self.context, self.request), name='plone_context_state')
--        if context_state.is_default_page():
--            parent.setDefaultPage(newid)
-         # Requires cmf.ModifyPortalContent permission
-         self.context.title = data['new_title']
-+
-         # Requires zope2.CopyOrMove permission
+         if constrains:
++            # Do permission check before constrain checking so we'll get
++            # an Unauthorized over a ValueError.
++            fti = queryUtility(ITypeInformation, name=type_name)
++            if fti is not None and not fti.isConstructionAllowed(self):
++                raise Unauthorized('Cannot create %s' % fti.getId())
 +
-+        # manage_renameObjects fires 3 events:
-+        # 1. ObjectWillBeMovedEvent before anything happens
-+        # 2. ObjectMovedEvent directly after rename
-+        # 3. zope.container.contained.notifyContainerModified directly after 2
-+        # for 2+3 there are subscribers in Products.CMFDynamicViewFTI
-+        # responsible to change (2) or unset (3) the default_page.
-+
-         parent.manage_renameObjects([oldid, ], [str(newid), ])
-
-         transaction.savepoint(optimistic=True)
+             allowed_ids = [
+                 fti.getId() for fti in constrains.allowedContentTypes()
+             ]