[security] don't add attribute into skip_security if already in edited_attributes, else we may accidentaly skip a desired security check stable
authorSylvain Thénault <sylvain.thenault@logilab.fr>
Wed, 24 Mar 2010 13:40:53 +0100
branchstable
changeset 4990 3bf481cf51cb
parent 4989 0e6dca27422c
child 4991 16f0cec3d008
[security] don't add attribute into skip_security if already in edited_attributes, else we may accidentaly skip a desired security check
entity.py
--- a/entity.py	Wed Mar 24 11:15:57 2010 +0100
+++ b/entity.py	Wed Mar 24 13:40:53 2010 +0100
@@ -249,7 +249,10 @@
             self.eid = value
         else:
             super(Entity, self).__setitem__(attr, value)
-            if hasattr(self, 'edited_attributes'):
+            # don't add attribute into skip_security if already in edited
+            # attributes, else we may accidentaly skip a desired security check
+            if hasattr(self, 'edited_attributes') and \
+                   attr not in self.edited_attributes:
                 self.edited_attributes.add(attr)
                 self.skip_security_attributes.add(attr)
 
@@ -276,7 +279,10 @@
     def setdefault(self, attr, default):
         """override setdefault to update self.edited_attributes"""
         super(Entity, self).setdefault(attr, default)
-        if hasattr(self, 'edited_attributes'):
+        # don't add attribute into skip_security if already in edited
+        # attributes, else we may accidentaly skip a desired security check
+        if hasattr(self, 'edited_attributes') and \
+               attr not in self.edited_attributes:
             self.edited_attributes.add(attr)
             self.skip_security_attributes.add(attr)