Add access checks to Object.preventExtensions + add regression test for 1027.

Object.preventExtensions can currently be used cross-domain. With this
change we follow firefox (IE9 has our current behaviour). In addition
this includes a regression test for 1027 and access tests for
Object.seal and Object.freeze.

Review URL: http://codereview.chromium.org/6534019

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6848 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/objects.cc b/src/objects.cc
index e0232d5..e56c917 100644 (file)
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -2813,6 +2813,12 @@ bool JSObject::ReferencesObject(Object* obj) {
 
 
 MaybeObject* JSObject::PreventExtensions() {
+  if (IsAccessCheckNeeded() &&
+      !Top::MayNamedAccess(this, Heap::undefined_value(), v8::ACCESS_KEYS)) {
+    Top::ReportFailedAccessCheck(this, v8::ACCESS_KEYS);
+    return Heap::false_value();
+  }
+
   if (IsJSGlobalProxy()) {
     Object* proto = GetPrototype();
     if (proto->IsNull()) return this;

diff --git a/src/runtime.cc b/src/runtime.cc
index 2a503e3..df403bc 100644 (file)
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -3690,6 +3690,8 @@ static MaybeObject* Runtime_DefineOrRedefineDataProperty(Arguments args) {
       is_element) {
     // Normalize the elements to enable attributes on the property.
     if (js_object->IsJSGlobalProxy()) {
+      // We do not need to do access checks here since these has already
+      // been performed by the call to GetOwnProperty.
       Handle<Object> proto(js_object->GetPrototype());
       // If proxy is detached, ignore the assignment. Alternatively,
       // we could throw an exception.

diff --git a/test/cctest/test-api.cc b/test/cctest/test-api.cc
index c43078d..0b6a2b7 100644 (file)
--- a/test/cctest/test-api.cc
+++ b/test/cctest/test-api.cc
@@ -5652,8 +5652,7 @@ TEST(AccessControl) {
 }
 
 
-// This is a regression test for issue 1154.
-TEST(AccessControlObjectKeys) {
+TEST(AccessControlES5) {
   v8::HandleScope handle_scope;
   v8::Handle<v8::ObjectTemplate> global_template = v8::ObjectTemplate::New();
 
@@ -5677,7 +5676,29 @@ TEST(AccessControlObjectKeys) {
   v8::Handle<v8::Object> global1 = context1->Global();
   global1->Set(v8_str("other"), global0);
 
+  // Regression test for issue 1154.
   ExpectTrue("Object.keys(other).indexOf('blocked_prop') == -1");
+
+  ExpectUndefined("other.blocked_prop");
+
+  // Regression test for issue 1027.
+  CompileRun("Object.defineProperty(\n"
+             "  other, 'blocked_prop', {configurable: false})");
+  ExpectUndefined("other.blocked_prop");
+  ExpectUndefined(
+      "Object.getOwnPropertyDescriptor(other, 'blocked_prop')");
+
+  // Regression test for issue 1171.
+  ExpectTrue("Object.isExtensible(other)");
+  CompileRun("Object.preventExtensions(other)");
+  ExpectTrue("Object.isExtensible(other)");
+
+  // Object.seal and Object.freeze.
+  CompileRun("Object.freeze(other)");
+  ExpectTrue("Object.isExtensible(other)");
+
+  CompileRun("Object.seal(other)");
+  ExpectTrue("Object.isExtensible(other)");
 }