[Checkins] SVN: grokcore.view/trunk/src/grokcore/view/ Just
protecting a view's __call__ isn't enough for regular Zope 3:
Philipp von Weitershausen
philikon at philikon.de
Tue Jul 22 13:53:11 EDT 2008
Log message for revision 88721:
Just protecting a view's __call__ isn't enough for regular Zope 3:
You also need to protect 'browserPage', 'publishTraverse', etc. (see IBrowserPage).
Getting rid of the now useless make_checker helper as well.
Changed:
U grokcore.view/trunk/src/grokcore/view/meta.py
U grokcore.view/trunk/src/grokcore/view/util.py
-=-
Modified: grokcore.view/trunk/src/grokcore/view/meta.py
===================================================================
--- grokcore.view/trunk/src/grokcore/view/meta.py 2008-07-22 17:47:14 UTC (rev 88720)
+++ grokcore.view/trunk/src/grokcore/view/meta.py 2008-07-22 17:53:11 UTC (rev 88721)
@@ -2,6 +2,7 @@
from zope import component, interface
from zope.publisher.interfaces.browser import IBrowserRequest
+from zope.publisher.interfaces.browser import IBrowserPage
from zope.publisher.interfaces.browser import IDefaultBrowserLayer
from zope.publisher.interfaces.browser import IBrowserSkinType
from zope.security.interfaces import IPermission
@@ -17,7 +18,7 @@
from grokcore.view import templatereg
from grokcore.view.util import default_view_name
from grokcore.view.util import default_fallback_to_name
-from grokcore.view.util import make_checker
+from grokcore.view.util import protect_name
class SkinGrokker(martian.ClassGrokker):
@@ -105,13 +106,12 @@
martian.directive(grokcore.view.require, name='permission')
def execute(self, factory, config, permission, **kw):
- config.action(
- # TODO For pure Zope 3 we need to protect the whole
- # IBrowserPage interface, not just __call__
- discriminator=('protectName', factory, '__call__'),
- callable=make_checker,
- args=(factory, factory, permission),
- )
+ for method_name in list(IBrowserPage):
+ config.action(
+ discriminator=('protectName', factory, method_name),
+ callable=protect_name,
+ args=(factory, method_name, permission),
+ )
return True
Modified: grokcore.view/trunk/src/grokcore/view/util.py
===================================================================
--- grokcore.view/trunk/src/grokcore/view/util.py 2008-07-22 17:47:14 UTC (rev 88720)
+++ grokcore.view/trunk/src/grokcore/view/util.py 2008-07-22 17:53:11 UTC (rev 88721)
@@ -3,8 +3,8 @@
from zope import component
from zope.traversing.browser.interfaces import IAbsoluteURL
from zope.traversing.browser.absoluteurl import _safe as SAFE_URL_CHARACTERS
-from zope.security.checker import NamesChecker, defineChecker
from zope.security.interfaces import IPermission
+from zope.app.security.protectclass import protectName
from martian.error import GrokError
@@ -31,21 +31,16 @@
def default_fallback_to_name(factory, module, name, **data):
return name
-def make_checker(factory, view_factory, permission, method_names=None):
- """Make a checker for a view_factory associated with factory.
-
- These could be one and the same for normal views, or different
- in case we make method-based views such as for JSON and XMLRPC.
- """
- if method_names is None:
- method_names = ['__call__']
- if permission is not None:
- check_permission(factory, permission)
- if permission is None or permission == 'zope.Public':
- checker = NamesChecker(method_names)
+def protect_name(class_, name, permission=None):
+ # Define an attribute checker using zope.app.security's
+ # protectName that defaults to the 'zope.Public' permission when
+ # it's not been given and makes sure the permission has actually
+ # been defined when it has.
+ if permission is None:
+ permission = 'zope.Public'
else:
- checker = NamesChecker(method_names, permission)
- defineChecker(view_factory, checker)
+ check_permission(class_, permission)
+ protectName(class_, name, permission)
def check_permission(factory, permission):
"""Check whether a permission is defined.
More information about the Checkins
mailing list