1 files changed, 127 insertions, 103 deletions
diff --git a/net-zope/plone/files/plone-2.0.5-portrait_security.patch b/net-zope/plone/files/plone-2.0.5-portrait_security.patch
index e3e0d62614b5..83efe6cb6c68 100644
--- a/net-zope/plone/files/plone-2.0.5-portrait_security.patch
+++ b/net-zope/plone/files/plone-2.0.5-portrait_security.patch
@@ -1,103 +1,127 @@
---- CMFPlone/MembershipTool.py (revision 5844)
-+++ CMFPlone/MembershipTool.py (revision 9512)
-@@ -1,4 +1,4 @@
--from Products.CMFCore.CMFCorePermissions import SetOwnPassword
- from Products.CMFCore.utils import getToolByName
-+from Products.CMFCore.utils import _checkPermission
- from Products.CMFDefault.MembershipTool import MembershipTool as BaseTool
- from Products.CMFPlone import ToolNames
-@@ -9,4 +9,7 @@
- from Globals import InitializeClass
- from Acquisition import aq_base, aq_parent, aq_inner
-+from Products.CMFCore.CMFCorePermissions import ManagePortal
-+from Products.CMFCore.CMFCorePermissions import SetOwnProperties
-+from Products.CMFCore.CMFCorePermissions import SetOwnPassword
- from Products.CMFCore.CMFCorePermissions import View
- from Products.CMFPlone.PloneBaseTool import PloneBaseTool
-@@ -40,4 +43,5 @@
-     security.declareProtected(View, 'getPortalRoles')
- 
-+    security.declarePublic('getAuthenticatedMember')
-     def getAuthenticatedMember(self):
-         """ """
-@@ -52,4 +56,5 @@
-         return _user
- 
-+    security.declarePublic('getPersonalPortrait')
-     def getPersonalPortrait(self, member_id = None, verifyPermission=0):
-         """
-@@ -58,7 +63,4 @@
-         membertool   = getToolByName(self, 'portal_memberdata')
- 
--        # what are we doing with that
--        #if verifyPermission and not _checkPermission('View', portrait):
--        #    return None
-         if not member_id:
-             member_id = self.getAuthenticatedMember().getUserName()
-@@ -67,5 +69,8 @@
-         if type(portrait) == type(''):
-             portrait = None
--        #portrait = None
-+        if portrait is not None:
-+            if verifyPermission and not _checkPermission(View, portrait):
-+                # Don't return the portrait if the user can't get to it
-+                portrait = None
-         if portrait is None:
-             portal = getToolByName(self, 'portal_url').getPortalObject()
-@@ -74,4 +79,5 @@
-         return portrait
- 
-+    security.declareProtected(SetOwnProperties, 'deletePersonalPortrait')
-     def deletePersonalPortrait(self, member_id = None):
-         """
-@@ -85,4 +91,5 @@
-         membertool._deletePortrait(member_id)
- 
-+    security.declarePublic('getPersonalFolder')
-     def getPersonalFolder(self, member_id=None):
-         """
-@@ -98,4 +105,5 @@
-         return personal
- 
-+    security.declareProtected(SetOwnProperties, 'changeMemberPortrait')
-     def changeMemberPortrait(self, portrait, member_id=None):
-         """
-@@ -112,4 +120,5 @@
-             membertool._setPortrait(portrait, member_id)
- 
-+    security.declarePublic('createMemberarea')
-     def createMemberarea(self, member_id=None, minimal=0):
-         """
-@@ -242,4 +251,5 @@
-     createMemberArea = createMemberarea
- 
-+    security.declareProtected(ManagePortal, 'listMembers')
-     def listMembers(self):
-         '''Gets the list of all members.
-@@ -251,4 +261,5 @@
-             return BaseTool.listMembers(self)
- 
-+    security.declareProtected(ManagePortal, 'listMemberIds')
-     def listMemberIds(self):
-         '''Lists the ids of all members.  This may eventually be
-@@ -263,5 +274,5 @@
- 
-     # this should probably be in MemberDataTool.py
--    #security.declarePublic( 'searchForMembers' )
-+    security.declarePublic('searchForMembers')
-     def searchForMembers( self, REQUEST=None, **kw ):
-         """ """
-@@ -319,10 +330,10 @@
-         return res
- 
--    def testCurrentPassword(self, password, username=None):
-+    security.declareProtected(SetOwnPassword, 'testCurrentPassword')
-+    def testCurrentPassword(self, password):
-         """ test to see if password is current """
-         portal=getToolByName(self, 'portal_url').getPortalObject()
-         REQUEST=getattr(self, 'REQUEST', {})
--        if username is None:
--            username=self.getAuthenticatedMember().getUserName()
-+        username=self.getAuthenticatedMember().getUserName()
-         acl_users = self._findUsersAclHome(username)
-         if not acl_users:
+--- CMFPlone/MembershipTool.py	2004-12-01 15:54:09.000000000 +0100
++++ CMFPlone/MembershipTool.py	2006-04-17 15:11:56.000000000 +0200
+@@ -1,5 +1,5 @@
+-from Products.CMFCore.CMFCorePermissions import SetOwnPassword
+ from Products.CMFCore.utils import getToolByName
++from Products.CMFCore.utils import _checkPermission
+ from Products.CMFDefault.MembershipTool import MembershipTool as BaseTool
+ from Products.CMFPlone import ToolNames
+ from Products.CMFPlone.PloneUtilities import translate
+@@ -8,6 +8,9 @@
+ from AccessControl import ClassSecurityInfo, getSecurityManager
+ from Globals import InitializeClass
+ from Acquisition import aq_base, aq_parent, aq_inner
++from Products.CMFCore.CMFCorePermissions import ManagePortal
++from Products.CMFCore.CMFCorePermissions import SetOwnProperties
++from Products.CMFCore.CMFCorePermissions import SetOwnPassword
+ from Products.CMFCore.CMFCorePermissions import View
+ from Products.CMFPlone.PloneBaseTool import PloneBaseTool
+ 
+@@ -39,6 +42,7 @@
+     #    in CMFCore.MembershipTool - but in Plone we are not so anal ;-)
+     security.declareProtected(View, 'getPortalRoles')
+ 
++    security.declarePublic('getAuthenticatedMember')
+     def getAuthenticatedMember(self):
+         """ """
+         _user=self.REQUEST.get('_portaluser', None)
+@@ -51,28 +55,30 @@
+             self.REQUEST.set('_portaluser', _user)
+         return _user
+ 
++    security.declarePublic('getPersonalPortrait')
+     def getPersonalPortrait(self, member_id = None, verifyPermission=0):
+         """
+         returns the Portait for a member_id
+         """
+         membertool   = getToolByName(self, 'portal_memberdata')
+ 
+-        # what are we doing with that
+-        #if verifyPermission and not _checkPermission('View', portrait):
+-        #    return None
+         if not member_id:
+             member_id = self.getAuthenticatedMember().getUserName()
+ 
+         portrait = membertool._getPortrait(member_id)
+         if type(portrait) == type(''):
+             portrait = None
+-        #portrait = None
++        if portrait is not None:
++            if verifyPermission and not _checkPermission(View, portrait):
++                # Don't return the portrait if the user can't get to it
++                portrait = None
+         if portrait is None:
+             portal = getToolByName(self, 'portal_url').getPortalObject()
+             portrait = getattr(portal, default_portrait)
+ 
+         return portrait
+ 
++    security.declareProtected(SetOwnProperties, 'deletePersonalPortrait')
+     def deletePersonalPortrait(self, member_id = None):
+         """
+         deletes the Portait of member_id
+@@ -84,6 +90,7 @@
+ 
+         membertool._deletePortrait(member_id)
+ 
++    security.declarePublic('getPersonalFolder')
+     def getPersonalFolder(self, member_id=None):
+         """
+         returns the Personal Item folder for a member
+@@ -97,6 +104,7 @@
+                             , None )
+         return personal
+ 
++    security.declareProtected(SetOwnProperties, 'changeMemberPortrait')
+     def changeMemberPortrait(self, portrait, member_id=None):
+         """
+         given a portrait we will modify the users portrait
+@@ -111,6 +119,7 @@
+             membertool   = getToolByName(self, 'portal_memberdata')
+             membertool._setPortrait(portrait, member_id)
+ 
++    security.declarePublic('createMemberarea')
+     def createMemberarea(self, member_id=None, minimal=0):
+         """
+         Create a member area for 'member_id' or the authenticated user.
+@@ -241,6 +250,7 @@
+     security.declarePublic('createMemberArea')
+     createMemberArea = createMemberarea
+ 
++    security.declareProtected(ManagePortal, 'listMembers')
+     def listMembers(self):
+         '''Gets the list of all members.
+         '''
+@@ -250,6 +260,7 @@
+         else:
+             return BaseTool.listMembers(self)
+ 
++    security.declareProtected(ManagePortal, 'listMemberIds')
+     def listMemberIds(self):
+         '''Lists the ids of all members.  This may eventually be
+         replaced with a set of methods for querying pieces of the
+@@ -262,7 +273,7 @@
+             return self.__getPUS().getUserNames()
+ 
+     # this should probably be in MemberDataTool.py
+-    #security.declarePublic( 'searchForMembers' )
++    security.declarePublic('searchForMembers')
+     def searchForMembers( self, REQUEST=None, **kw ):
+         """ """
+         if REQUEST:
+@@ -318,12 +329,12 @@
+             res.append(member)
+         return res
+ 
+-    def testCurrentPassword(self, password, username=None):
++    security.declareProtected(SetOwnPassword, 'testCurrentPassword')
++    def testCurrentPassword(self, password):
+         """ test to see if password is current """
+         portal=getToolByName(self, 'portal_url').getPortalObject()
+         REQUEST=getattr(self, 'REQUEST', {})
+-        if username is None:
+-            username=self.getAuthenticatedMember().getUserName()
++        username=self.getAuthenticatedMember().getUserName()
+         acl_users = self._findUsersAclHome(username)
+         if not acl_users:
+             return 0