[Checkins] SVN: z3ext.preferences/trunk/ Fixed security for preference group
Nikolay Kim
fafhrd at datacom.kz
Tue Dec 23 03:05:43 EST 2008
Log message for revision 94255:
Fixed security for preference group
Changed:
U z3ext.preferences/trunk/CHANGES.txt
U z3ext.preferences/trunk/src/z3ext/preferences/browser/group.py
U z3ext.preferences/trunk/src/z3ext/preferences/interfaces.py
U z3ext.preferences/trunk/src/z3ext/preferences/utils.py
U z3ext.preferences/trunk/src/z3ext/preferences/zcml.py
-=-
Modified: z3ext.preferences/trunk/CHANGES.txt
===================================================================
--- z3ext.preferences/trunk/CHANGES.txt 2008-12-22 22:48:30 UTC (rev 94254)
+++ z3ext.preferences/trunk/CHANGES.txt 2008-12-23 08:05:43 UTC (rev 94255)
@@ -2,6 +2,12 @@
CHANGES
=======
+1.4.5 (Unreleased)
+------------------
+
+- Fixed security for preference group
+
+
1.4.4 (2008-12-22)
------------------
Modified: z3ext.preferences/trunk/src/z3ext/preferences/browser/group.py
===================================================================
--- z3ext.preferences/trunk/src/z3ext/preferences/browser/group.py 2008-12-22 22:48:30 UTC (rev 94254)
+++ z3ext.preferences/trunk/src/z3ext/preferences/browser/group.py 2008-12-23 08:05:43 UTC (rev 94255)
@@ -16,6 +16,8 @@
$Id$
"""
from zope import schema
+from zope.security import checkPermission
+from zope.security.interfaces import Unauthorized
from zope.cachedescriptors.property import Lazy
from z3ext.layoutform import Fields, PageletEditForm
@@ -23,6 +25,9 @@
class PreferenceGroup(object):
def update(self):
+ if not checkPermission(self.context.__permission__, self.context):
+ raise Unauthorized()
+
context = self.context
request = self.request
@@ -61,3 +66,9 @@
@Lazy
def fields(self):
return Fields(self.context.__schema__, omitReadOnly=True)
+
+ def update(self):
+ if not checkPermission(self.context.__permission__, self.context):
+ raise Unauthorized()
+
+ super(PreferenceGroupView, self).update()
Modified: z3ext.preferences/trunk/src/z3ext/preferences/interfaces.py
===================================================================
--- z3ext.preferences/trunk/src/z3ext/preferences/interfaces.py 2008-12-22 22:48:30 UTC (rev 94254)
+++ z3ext.preferences/trunk/src/z3ext/preferences/interfaces.py 2008-12-23 08:05:43 UTC (rev 94255)
@@ -66,6 +66,8 @@
required = False)
__principal__ = interface.Attribute('Owner principal of preferences')
+ __permission__ = interface.Attribute('Set schema permission')
+ __accesspermission__ = interface.Attribute('Access schema permission')
def isAvailable():
""" is group available for bound principal """
Modified: z3ext.preferences/trunk/src/z3ext/preferences/utils.py
===================================================================
--- z3ext.preferences/trunk/src/z3ext/preferences/utils.py 2008-12-22 22:48:30 UTC (rev 94254)
+++ z3ext.preferences/trunk/src/z3ext/preferences/utils.py 2008-12-23 08:05:43 UTC (rev 94255)
@@ -77,10 +77,5 @@
return self.iface.providedBy(group.__principal__)
-class PermissionChecker(object):
-
- def __init__(self, permission):
- self.permission = permission
-
- def __call__(self, prefs):
- return checkPermission(self.permission, prefs)
+def PermissionChecker(prefs):
+ return checkPermission(prefs.__permission__, prefs)
Modified: z3ext.preferences/trunk/src/z3ext/preferences/zcml.py
===================================================================
--- z3ext.preferences/trunk/src/z3ext/preferences/zcml.py 2008-12-22 22:48:30 UTC (rev 94254)
+++ z3ext.preferences/trunk/src/z3ext/preferences/zcml.py 2008-12-23 08:05:43 UTC (rev 94255)
@@ -36,8 +36,8 @@
from zope.app.security.protectclass import \
protectName, protectSetAttribute, protectLikeUnto
+from preference import PreferenceGroup
from interfaces import IPreferenceGroup
-from preference import PreferenceGroup
from preferencetype import PreferenceType
from utils import PrincipalChecker, PermissionChecker
@@ -85,6 +85,11 @@
permission = Permission(
title = u'Permission',
+ description = u'Default set schema permission.',
+ required = False)
+
+ accesspermission = Permission(
+ title = u'Access permission',
description = u'Default access permission.',
required = False)
@@ -114,17 +119,23 @@
def __init__(self, _context, id, schema, title,
for_=None, description=u'', class_=None, provides=[],
- permission='z3ext.ModifyPreference', tests=(), order = 9999):
+ permission='z3ext.ModifyPreference', accesspermission='',
+ tests=(), order = 9999):
+ if not accesspermission:
+ accesspermission = permission
+
Class = PreferenceType(str(id), schema, class_, title, description)
Class.order = order
+ Class.__permission__ = permission
+ Class.__accesspermission__ = accesspermission
+ tests = tuple(tests)
+ if permission != 'zope.Public':
+ tests = tests + (PermissionChecker,)
if interface.interfaces.IInterface.providedBy(for_):
tests = tests + (PrincipalChecker(for_),)
- if permission != 'zope.Public':
- tests = tuple(tests) + (PermissionChecker(permission),)
-
group = Class(tests)
utility(_context, IPreferenceGroup, group, name=id)
@@ -139,13 +150,16 @@
self._context = _context
self._permission = permission
- self.require(_context, permission,
- interface=(IPreferenceGroup, schema), set_schema=(schema,))
+ self.require(_context, permission, set_schema=(schema,))
+ self.require(_context, accesspermission,
+ interface=(IPreferenceGroup, schema))
+
self.require(_context, CheckerPublic,
interface=(IEnumerableMapping, ILocation),
attributes=('isAvailable',
'__id__', '__schema__',
- '__title__', '__description__'))
+ '__title__', '__description__',
+ '__permission__'))
schema.setTaggedValue('preferenceID', id)
@@ -155,11 +169,8 @@
def require(self, _context,
permission=None, attributes=None, interface=None,
- like_class=None, set_attributes=None, set_schema=None):
+ set_attributes=None, set_schema=None):
"""Require a permission to access a specific aspect"""
- if like_class:
- self.__mimic(_context, like_class)
-
if not (interface or attributes or set_attributes or set_schema):
if like_class:
return
@@ -183,14 +194,6 @@
for s in set_schema:
self.__protectSetSchema(s, permission)
- def __mimic(self, _context, class_):
- """Base security requirements on those of the given class"""
- _context.action(
- discriminator=('z3ext:preferences:mimic', self._class),
- callable=protectLikeUnto,
- args=(self._class, class_),
- )
-
def allow(self, _context, attributes=None, interface=None):
"""Like require, but with permission_id zope.Public"""
return self.require(_context, self._permission, attributes, interface)
More information about the Checkins
mailing list