[Checkins] SVN: grok/branches/0.12/src/grok/ We need to do a bit more work in backporting recent changes to
Martijn Faassen
faassen at infrae.com
Fri Dec 12 08:55:22 EST 2008
Log message for revision 93955:
We need to do a bit more work in backporting recent changes to
the way static resources are handled in grokcore.view, but now are able
to backport the security fix.
Changed:
U grok/branches/0.12/src/grok/components.py
U grok/branches/0.12/src/grok/meta.py
U grok/branches/0.12/src/grok/publication.py
-=-
Modified: grok/branches/0.12/src/grok/components.py
===================================================================
--- grok/branches/0.12/src/grok/components.py 2008-12-12 13:54:26 UTC (rev 93954)
+++ grok/branches/0.12/src/grok/components.py 2008-12-12 13:55:21 UTC (rev 93955)
@@ -357,22 +357,19 @@
continue
resource_factories[type] = factory
-
-class DirectoryResourceFactory(object):
+class DirectoryResourceFactory(directoryresource.DirectoryResourceFactory):
# We need this to allow hooking up our own GrokDirectoryResource
# and to set the checker to None (until we have our own checker)
- def __init__(self, path, name):
- # XXX we're not sure about the checker=None here
- self.__dir = directoryresource.Directory(path, None, name)
- self.__name = name
-
def __call__(self, request):
+ # Override this method for the following line, in which our
+ # custom DirectoryResource class is instantiated.
resource = DirectoryResource(self.__dir, request)
+ resource.directory_factory = DirectoryResourceFactory
+ resource.__Security_checker__ = self.__checker
resource.__name__ = self.__name
return resource
-
class Traverser(object):
interface.implements(IBrowserPublisher)
Modified: grok/branches/0.12/src/grok/meta.py
===================================================================
--- grok/branches/0.12/src/grok/meta.py 2008-12-12 13:54:26 UTC (rev 93954)
+++ grok/branches/0.12/src/grok/meta.py 2008-12-12 13:55:21 UTC (rev 93955)
@@ -17,6 +17,8 @@
import zope.component.interface
from zope import interface, component
+
+from zope.security.checker import NamesChecker
from zope.publisher.browser import IBrowserView
from zope.publisher.interfaces.browser import (IDefaultBrowserLayer,
IBrowserRequest,
@@ -519,6 +521,11 @@
return True
+allowed_resource_names = (
+ 'GET', 'HEAD', 'publishTraverse', 'browserDefault', 'request', '__call__')
+
+allowed_resourcedir_names = allowed_resource_names + ('__getitem__', 'get')
+
class StaticResourcesGrokker(martian.GlobalGrokker):
def grok(self, name, module, module_info, config, **kw):
@@ -542,8 +549,10 @@
"resource directory and a module named "
"'static.py'", module_info.getModule())
+ checker = NamesChecker(allowed_resourcedir_names)
resource_factory = components.DirectoryResourceFactory(
- resource_path, module_info.dotted_name)
+ resource_path, checker, module_info.dotted_name)
+
adapts = (IDefaultBrowserLayer,)
provides = interface.Interface
name = module_info.dotted_name
Modified: grok/branches/0.12/src/grok/publication.py
===================================================================
--- grok/branches/0.12/src/grok/publication.py 2008-12-12 13:54:26 UTC (rev 93954)
+++ grok/branches/0.12/src/grok/publication.py 2008-12-12 13:55:21 UTC (rev 93955)
@@ -27,6 +27,10 @@
BrowserFactory, XMLRPCFactory, HTTPFactory
from zope.app.http.interfaces import IHTTPException
+from zope.publisher.interfaces.browser import IBrowserView
+from grok.components import View as GrokView
+from grok.components import JSON
+
class ZopePublicationSansProxy(object):
def getApplication(self, request):
@@ -36,8 +40,16 @@
def traverseName(self, request, ob, name):
result = super(ZopePublicationSansProxy, self).traverseName(
request, ob, name)
- return removeSecurityProxy(result)
+ bare_result = removeSecurityProxy(result)
+ if IBrowserView.providedBy(bare_result):
+ if isinstance(bare_result, (GrokView, JSON)):
+ return bare_result
+ else:
+ return result
+ else:
+ return bare_result
+
def callObject(self, request, ob):
checker = selectChecker(ob)
if checker is not None:
More information about the Checkins
mailing list