[Checkins] SVN: grok/trunk/src/grok/ Get rid of security altogether by implementing custom publication objects

Philipp von Weitershausen philikon at philikon.de
Sat Jan 6 10:47:55 EST 2007


Log message for revision 71737:
  Get rid of security altogether by implementing custom publication objects
  

Changed:
  U   grok/trunk/src/grok/components.py
  U   grok/trunk/src/grok/configure.zcml
  A   grok/trunk/src/grok/ftests/security/
  A   grok/trunk/src/grok/ftests/security/__init__.py
  U   grok/trunk/src/grok/ftests/test_grok_functional.py
  U   grok/trunk/src/grok/meta.py
  A   grok/trunk/src/grok/publication.py
  D   grok/trunk/src/grok/security.py
  U   grok/trunk/src/grok/templatereg.py
  D   grok/trunk/src/grok/tests/security/
  U   grok/trunk/src/grok/tests/test_grok.py

-=-
Modified: grok/trunk/src/grok/components.py
===================================================================
--- grok/trunk/src/grok/components.py	2007-01-06 15:47:22 UTC (rev 71736)
+++ grok/trunk/src/grok/components.py	2007-01-06 15:47:54 UTC (rev 71737)
@@ -22,7 +22,6 @@
 from zope import schema
 from zope import event
 from zope.lifecycleevent import ObjectModifiedEvent
-from zope.security.proxy import removeSecurityProxy
 from zope.publisher.browser import BrowserPage
 from zope.publisher.interfaces import NotFound
 from zope.publisher.interfaces.browser import (IBrowserPublisher,
@@ -44,7 +43,7 @@
 from zope.app.container.interfaces import IReadContainer
 from zope.app.component.site import SiteManagerContainer
 
-from grok import util, security, interfaces
+from grok import util, interfaces
 
 
 class GrokkerBase(object):
@@ -124,9 +123,7 @@
     interface.implements(interfaces.IGrokView)
 
     def __init__(self, context, request):
-        # Jim would say: WAAAAAAAAAAAAH!
-        self.context = removeSecurityProxy(context)
-        self.request = removeSecurityProxy(request)
+        super(View, self).__init__(context, request)
         self.directory_resource = component.queryAdapter(self.request,
                 interface.Interface, name=self.module_info.package_dotted_name)
 
@@ -241,7 +238,6 @@
 
     def __call__(self, request):
         resource = DirectoryResource(self.__dir, request)
-        resource.__Security_checker__ = security.GrokChecker()
         resource.__name__ = self.__name
         return resource
 
@@ -250,9 +246,8 @@
     interface.implements(IBrowserPublisher)
 
     def __init__(self, context, request):
-        # Jim would say: WAAAAAAAAAAAAH!
-        self.context = removeSecurityProxy(context)
-        self.request = removeSecurityProxy(request)
+        self.context = context
+        self.request = request
 
     def browserDefault(self, request):
         view_name = getDefaultViewName(self.context, request)

Modified: grok/trunk/src/grok/configure.zcml
===================================================================
--- grok/trunk/src/grok/configure.zcml	2007-01-06 15:47:22 UTC (rev 71736)
+++ grok/trunk/src/grok/configure.zcml	2007-01-06 15:47:54 UTC (rev 71737)
@@ -23,4 +23,23 @@
       provides="zope.traversing.browser.interfaces.IAbsoluteURL"
       />
 
+  <!-- this overrides Zope 3's publication factories because they have
+       the same name; we also need to change the priority because of
+       the ZCML descriminator -->
+  <publisher
+      name="XMLRPC"
+      factory=".publication.GrokXMLRPCFactory"
+      methods="POST"
+      mimetypes="text/xml"
+      priority="21"
+      />
+
+  <publisher
+      name="BROWSER"
+      factory=".publication.GrokBrowserFactory"
+      methods="GET POST HEAD"
+      mimetypes="*"
+      priority="11"
+      />
+
 </configure>

Copied: grok/trunk/src/grok/ftests/security/__init__.py (from rev 71730, grok/trunk/src/grok/ftests/__init__.py)

Modified: grok/trunk/src/grok/ftests/test_grok_functional.py
===================================================================
--- grok/trunk/src/grok/ftests/test_grok_functional.py	2007-01-06 15:47:22 UTC (rev 71736)
+++ grok/trunk/src/grok/ftests/test_grok_functional.py	2007-01-06 15:47:54 UTC (rev 71737)
@@ -56,7 +56,8 @@
 
 def test_suite():
     suite = unittest.TestSuite()
-    for name in ['view', 'static', 'xmlrpc', 'traversal', 'form', 'url']:
+    for name in ['view', 'static', 'xmlrpc', 'traversal', 'form', 'url',
+                 'security']:
         suite.addTest(suiteFromPackage(name))
     return suite
 

Modified: grok/trunk/src/grok/meta.py
===================================================================
--- grok/trunk/src/grok/meta.py	2007-01-06 15:47:22 UTC (rev 71736)
+++ grok/trunk/src/grok/meta.py	2007-01-06 15:47:54 UTC (rev 71737)
@@ -3,8 +3,6 @@
 
 import zope.component.interface
 from zope import interface, component
-from zope.security.checker import (defineChecker, getCheckerForInstancesOf,
-                                   NoProxy)
 from zope.publisher.interfaces.browser import (IDefaultBrowserLayer,
                                                IBrowserRequest,
                                                IBrowserPublisher)
@@ -12,16 +10,13 @@
 from zope.publisher.interfaces.xmlrpc import IXMLRPCRequest
 
 import grok
-from grok import util, components, security, formlib
+from grok import util, components, formlib
 from grok.error import GrokError
 
 class ModelGrokker(grok.ClassGrokker):
     component_class = grok.Model
 
     def register(self, context, name, factory, module_info, templates):
-        if not getCheckerForInstancesOf(factory):
-            defineChecker(factory, NoProxy)
-
         for field in formlib.get_context_schema_fields(factory):
             setattr(factory, field.__name__, field.default)       
 
@@ -75,8 +70,7 @@
             # views have a location
             method_view = type(
                 factory.__name__, (factory, MethodPublisher),
-                {'__call__': method,
-                 '__Security_checker__': security.GrokChecker()}
+                {'__call__': method}
                 )
             component.provideAdapter(
                 method_view, (view_context, IXMLRPCRequest),
@@ -161,9 +155,6 @@
                                  provides=interface.Interface,
                                  name=view_name)
 
-        # TODO minimal security here (read: everything is public)
-        defineChecker(factory, NoProxy)
-
 class TraverserGrokker(grok.ClassGrokker):
     component_class = grok.Traverser
 

Added: grok/trunk/src/grok/publication.py
===================================================================
--- grok/trunk/src/grok/publication.py	2007-01-06 15:47:22 UTC (rev 71736)
+++ grok/trunk/src/grok/publication.py	2007-01-06 15:47:54 UTC (rev 71737)
@@ -0,0 +1,57 @@
+##############################################################################
+#
+# Copyright (c) 2006 Zope Corporation and Contributors.
+# All Rights Reserved.
+#
+# This software is subject to the provisions of the Zope Public License,
+# Version 2.1 (ZPL).  A copy of the ZPL should accompany this distribution.
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED
+# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
+# FOR A PARTICULAR PURPOSE.
+#
+##############################################################################
+"""Grok publication objects
+"""
+
+from zope.security.proxy import removeSecurityProxy
+
+from zope.app.publication.http import BaseHTTPPublication
+from zope.app.publication.browser import BrowserPublication
+from zope.app.publication.requestpublicationfactories import \
+     BrowserFactory, XMLRPCFactory
+
+
+class ZopePublicationSansProxy(object):
+
+    def getApplication(self, request):
+        result = super(ZopePublicationSansProxy, self).getApplication(request)
+        return removeSecurityProxy(result)
+
+    def traverseName(self, request, ob, name):
+        result = super(ZopePublicationSansProxy, self).traverseName(
+            request, ob, name)
+        return removeSecurityProxy(result)
+
+
+class GrokBrowserPublication(ZopePublicationSansProxy, BrowserPublication):
+
+    def getDefaultTraversal(self, request, ob):
+        obj, path = super(GrokBrowserPublication, self).getDefaultTraversal(
+            request, ob)
+        return removeSecurityProxy(obj), path
+
+class GrokBrowserFactory(BrowserFactory):
+
+    def __call__(self):
+        request, publication = super(GrokBrowserFactory, self).__call__()
+        return request, GrokBrowserPublication
+
+class GrokXMLRPCPublication(ZopePublicationSansProxy, BaseHTTPPublication):
+    pass
+
+class GrokXMLRPCFactory(XMLRPCFactory):
+
+    def __call__(self):
+        request, publication = super(GrokXMLRPCFactory, self).__call__()
+        return request, GrokXMLRPCPublication


Property changes on: grok/trunk/src/grok/publication.py
___________________________________________________________________
Name: svn:eol-style
   + native

Deleted: grok/trunk/src/grok/security.py
===================================================================
--- grok/trunk/src/grok/security.py	2007-01-06 15:47:22 UTC (rev 71736)
+++ grok/trunk/src/grok/security.py	2007-01-06 15:47:54 UTC (rev 71737)
@@ -1,45 +0,0 @@
-##############################################################################
-#
-# Copyright (c) 2006 Zope Corporation and Contributors.
-# All Rights Reserved.
-#
-# This software is subject to the provisions of the Zope Public License,
-# Version 2.1 (ZPL).  A copy of the ZPL should accompany this distribution.
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED
-# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
-# FOR A PARTICULAR PURPOSE.
-#
-##############################################################################
-"""Grok security-related stuff
-"""
-
-class GrokChecker(object):
-    # ME GROK ANGRY.
-    # ME GROK NOT KNOW WHY CHECKER.
-
-    # We have no idea why we need a custom checker here. One hint was
-    # that the DirectoryResource already does something manually with
-    # setting up the 'correct' checker for itself and we seem to interfere
-    # with that. However, we couldn't figure out what's going on and this
-    # solves our problem for now. 
-
-    # XXX re-implement this in a sane way.
-
-    def __init__(self):
-        pass
-
-    def check_getattr(self, object, name):
-        pass
-
-    def check_setattr(self, ob, name):
-        pass
-
-    def check(self, ob, operation):
-        pass
-
-    def proxy(self, value):
-        return value
-
-
-

Modified: grok/trunk/src/grok/templatereg.py
===================================================================
--- grok/trunk/src/grok/templatereg.py	2007-01-06 15:47:22 UTC (rev 71736)
+++ grok/trunk/src/grok/templatereg.py	2007-01-06 15:47:54 UTC (rev 71737)
@@ -1,15 +1,15 @@
 import os
 
 from zope import interface, component
-from zope.security.checker import (defineChecker, getCheckerForInstancesOf,
-                                   NoProxy)
 from zope.publisher.interfaces.browser import IDefaultBrowserLayer
 
 import grok
 from grok import util
 from grok.error import GrokError
 
+
 class TemplateRegistry(object):
+
     def __init__(self):
         self._reg = {}
 
@@ -84,6 +84,3 @@
                                      adapts=(context, IDefaultBrowserLayer),
                                      provides=interface.Interface,
                                      name=name)
-
-            # TODO minimal security here (read: everything is public)
-            defineChecker(TemplateView, NoProxy)

Modified: grok/trunk/src/grok/tests/test_grok.py
===================================================================
--- grok/trunk/src/grok/tests/test_grok.py	2007-01-06 15:47:22 UTC (rev 71736)
+++ grok/trunk/src/grok/tests/test_grok.py	2007-01-06 15:47:54 UTC (rev 71737)
@@ -32,7 +32,7 @@
 
 def test_suite():
     suite = unittest.TestSuite()
-    for name in ['adapter', 'error', 'view', 'security', 'scan', 'event',
+    for name in ['adapter', 'error', 'view', 'scan', 'event',
                  'zcml', 'static', 'utility', 'xmlrpc', 'container',
                  'traversal', 'form', 'site', 'grokker']:
         suite.addTest(suiteFromPackage(name))



More information about the Checkins mailing list