[Checkins] SVN: grok/trunk/src/grok/ftests/security/security_view.py Add tests for IGrokSecurityView behaviour.

Uli Fouquet uli at gnufix.de
Sat Dec 27 08:31:41 EST 2008 

Log message for revision 94378:
  Add tests for IGrokSecurityView behaviour.

Changed:
  A   grok/trunk/src/grok/ftests/security/security_view.py

-=-
Added: grok/trunk/src/grok/ftests/security/security_view.py
===================================================================
--- grok/trunk/src/grok/ftests/security/security_view.py	                        (rev 0)
+++ grok/trunk/src/grok/ftests/security/security_view.py	2008-12-27 13:31:41 UTC (rev 94378)
@@ -0,0 +1,68 @@
+"""
+Non-grok views, that also provide `IGrokSecurityView` are handled more
+openly by the Grok publisher.
+
+We create an app, that provides a non-Grok view::
+
+  >>> root = getRootFolder()
+  >>> root['app'] = App()
+
+The view must be registered first. We register it for our `app` as
+context::
+
+  >>> from zope.publisher.interfaces.browser import IDefaultBrowserLayer
+  >>> from grok.ftests.security.security_view import App, Index
+
+  >>> from zope.component import provideAdapter
+  >>> from zope.interface import Interface
+  >>> provideAdapter(Index, (App, IDefaultBrowserLayer), Interface, 'index')
+
+We create a permission checker for this view, which allows everybody
+to use the `__call__` method::
+
+  >>> from grok.util import make_checker
+  >>> make_checker(App, Index, None)
+
+However, when we want to watch this view, we run into trouble::
+
+  >>> from zope.testbrowser.testing import Browser
+  >>> browser = Browser()
+  >>> browser.handleErrors = False
+  >>> browser.open('http://localhost/app/@@index')
+  Traceback (most recent call last):
+  ...
+  ForbiddenAttribute: ('browserDefault', <...Index object at 0x...>)
+
+This happens, because we did not set any permissions for the
+`browserDefault` method, which in 'normal' Zope3 environments means,
+that access to this attribute/method is forbidden for unauthenticated
+users.
+
+Grok, however, provides a different security policy, which is less
+strict in checking attribute and method permissions. This open policy
+is for security reasons *not* applied to non-grok views, except, if
+the view provides `IGrokSecurityView` and this way tells, that it
+really wants the grok security to be applied on its methods and
+attributes.
+
+We let instances of `Index` provide `IGrokSecurityView`::
+
+  >>> from zope.interface import classImplements
+  >>> classImplements(Index, grok.interfaces.IGrokSecurityView)
+
+Now we can watch the view::
+
+  >>> browser.open('http://localhost/app/@@index')
+  >>> print browser.contents
+  Hello from index
+
+"""
+import grok
+from zope.publisher.browser import BrowserPage
+
+class App(grok.Application, grok.Container):
+    pass
+
+class Index(BrowserPage):
+    def __call__(self):
+        return 'Hello from index'

More information about the Checkins mailing list