[Checkins] SVN: grokcore.view/trunk/s Moving the publication "hack" from ``grok`` to ``grokcore.view``
Souheil CHELFOUH
souheil at chelfouh.com
Wed Nov 3 07:02:35 EDT 2010
Log message for revision 118141:
Moving the publication "hack" from ``grok`` to ``grokcore.view``
Changed:
U grokcore.view/trunk/setup.py
A grokcore.view/trunk/src/grokcore/view/publication.py
A grokcore.view/trunk/src/grokcore/view/publication_security.zcml
-=-
Modified: grokcore.view/trunk/setup.py
===================================================================
--- grokcore.view/trunk/setup.py 2010-11-03 07:54:06 UTC (rev 118140)
+++ grokcore.view/trunk/setup.py 2010-11-03 11:02:35 UTC (rev 118141)
@@ -40,6 +40,10 @@
'zope.principalregistry',
]
+publication_require = [
+ 'zope.app.publication'
+ ]
+
setup(
name='grokcore.view',
version='2.1dev',
@@ -64,5 +68,6 @@
zip_safe=False,
install_requires=install_requires,
tests_require=tests_require,
- extras_require={'test': tests_require},
+ extras_require={'test': tests_require,
+ 'security_publication': publication_require},
)
Added: grokcore.view/trunk/src/grokcore/view/publication.py
===================================================================
--- grokcore.view/trunk/src/grokcore/view/publication.py (rev 0)
+++ grokcore.view/trunk/src/grokcore/view/publication.py 2010-11-03 11:02:35 UTC (rev 118141)
@@ -0,0 +1,70 @@
+# -*- coding: utf-8 -*-
+from zope.security.proxy import removeSecurityProxy
+from zope.security.checker import selectChecker
+from zope.publisher.interfaces.browser import IBrowserView
+from zope.app.publication.browser import BrowserPublication
+from grokcore.view import IGrokSecurityView
+
+
+class ZopePublicationSansProxy(object):
+ """Mixin that makes a publisher remove security proxies.
+
+ This mixin overrides three methods from the `IPublication`
+ interface (defined in `zope.publisher.interfaces`) to alter their
+ security behavior. The normal Zope machinery wraps a security
+ proxy around the application object returned by
+ `getApplication()`, and around each of the objects returned as
+ `traverseName()` is then called for each URL component. The
+ versions here strip the security proxy off instead, returning the
+ bare object (unless the object is a non-Grok view, in which case
+ we leave the proxy installed for important security
+ reasons). Non-Grok views however, are handled like Grok views, if
+ they provide `grokcore.view.IGrokSecurityView`.
+
+ Finally, when `callObject()` is asked to render
+ the view, we quickly re-install a security proxy on the object, make
+ sure that the current user is indeed allowed to invoke `__call__()`,
+ then pass the bare object to the rendering machinery.
+
+ The result is that, in place of the elaborate series of security
+ checks made during the processing of a normal Zope request, Grok
+ makes only a single security check: to see if the view can be
+ permissibly rendered or not.
+
+ """
+ def getApplication(self, request):
+ result = super(ZopePublicationSansProxy, self).getApplication(request)
+ return removeSecurityProxy(result)
+
+ def traverseName(self, request, ob, name):
+ result = super(ZopePublicationSansProxy, self).traverseName(
+ request, ob, name)
+ bare_result = removeSecurityProxy(result)
+ if IBrowserView.providedBy(bare_result):
+ if IGrokSecurityView.providedBy(bare_result):
+ return bare_result
+ else:
+ return result
+ else:
+ return bare_result
+
+ def callObject(self, request, ob):
+ checker = selectChecker(ob)
+ if checker is not None:
+ checker.check(ob, '__call__')
+ return super(ZopePublicationSansProxy, self).callObject(request, ob)
+
+
+class GrokBrowserPublication(ZopePublicationSansProxy, BrowserPublication):
+ """Combines `BrowserPublication` with the Grok sans-proxy mixin.
+
+ In addition to the three methods that are overridden by the
+ `ZopePublicationSansProxy`, this class overrides a fourth: the
+ `getDefaultTraversal()` method, which strips the security proxy from
+ the object being returned by the normal method.
+
+ """
+ def getDefaultTraversal(self, request, ob):
+ obj, path = super(GrokBrowserPublication, self).getDefaultTraversal(
+ request, ob)
+ return removeSecurityProxy(obj), path
Added: grokcore.view/trunk/src/grokcore/view/publication_security.zcml
===================================================================
--- grokcore.view/trunk/src/grokcore/view/publication_security.zcml (rev 0)
+++ grokcore.view/trunk/src/grokcore/view/publication_security.zcml 2010-11-03 11:02:35 UTC (rev 118141)
@@ -0,0 +1,8 @@
+<configure
+ xmlns="http://namespaces.zope.org/zope"
+ xmlns:grok="http://namespaces.zope.org/grok">
+
+ <include package="zope.app.publication" />
+ <grok:grok package=".publication" />
+
+</configure>
More information about the checkins
mailing list