[Checkins] SVN: z3c.formwidget.query/trunk/src/z3c/formwidget/query/ If one of the values to be returned provides IRoleManager, then check for permission first
Franco Pellegrini
cvs-admin at zope.org
Thu Feb 9 15:08:32 UTC 2012
Log message for revision 124343:
If one of the values to be returned provides IRoleManager, then check for permission first
Changed:
U z3c.formwidget.query/trunk/src/z3c/formwidget/query/README.txt
U z3c.formwidget.query/trunk/src/z3c/formwidget/query/widget.py
-=-
Modified: z3c.formwidget.query/trunk/src/z3c/formwidget/query/README.txt
===================================================================
--- z3c.formwidget.query/trunk/src/z3c/formwidget/query/README.txt 2012-02-09 07:28:18 UTC (rev 124342)
+++ z3c.formwidget.query/trunk/src/z3c/formwidget/query/README.txt 2012-02-09 15:08:30 UTC (rev 124343)
@@ -323,7 +323,103 @@
>>> 'Palermo' in widget()
False
+Permission
+----------
+First let's create a simple security policy
+
+ >>> from zope.security.interfaces import IInteraction
+ >>> from zope.security.interfaces import ISecurityPolicy
+ >>> from zope.security.simplepolicies import ParanoidSecurityPolicy
+ >>> from zope.security.management import thread_local
+ >>> from zope.interface import classProvides
+
+ >>> class SimpleSecurityPolicy(ParanoidSecurityPolicy):
+ ... classProvides(ISecurityPolicy)
+ ... interface.implements(IInteraction)
+ ...
+ ... def checkPermission(self, permission, object):
+ ... return object.permission == permission
+
+ >>> thread_local.interaction = SimpleSecurityPolicy()
+
+Let's define a permission aware object
+
+ >>> from AccessControl.interfaces import IRoleManager
+ >>> class Document(object):
+ ... interface.implements(IRoleManager)
+ ...
+ ... name = None
+ ... permission = None
+ ...
+ ... def __init__(self, name, permission):
+ ... self.name = name
+ ... self.permission = permission
+
+ >>> secret_document = Document(u'Secret', 'zope2.Secret')
+ >>> public_document = Document(u'Public', 'zope2.View')
+
+ >>> class PermissionSource(object):
+ ... interface.implements(IQuerySource)
+ ...
+ ... vocabulary = SimpleVocabulary((
+ ... SimpleTerm(secret_document, 'secret', u'Secret'),
+ ... SimpleTerm(public_document, 'public', u'Public')))
+ ...
+ ... def __init__(self, context):
+ ... self.context = context
+ ...
+ ... __contains__ = vocabulary.__contains__
+ ... __iter__ = vocabulary.__iter__
+ ... getTerm = vocabulary.getTerm
+ ... getTermByToken = vocabulary.getTermByToken
+ ...
+ ... def search(self, query_string):
+ ... return [v for v in self if query_string.lower() in v.name.lower()]
+
+ >>> from zope.schema.interfaces import IContextSourceBinder
+
+ >>> class PermissionSourceBinder(object):
+ ... interface.implements(IContextSourceBinder)
+ ...
+ ... def __call__(self, context):
+ ... return PermissionSource(context)
+
+Now our field
+
+ >>> document = zope.schema.Choice(
+ ... __name__='document',
+ ... title=u'Document',
+ ... description=u'Select a document.',
+ ... source=PermissionSourceBinder())
+
+ >>> class Person(object):
+ ...
+ ... document = None
+
+Let's first select our private document
+
+ >>> person = Person()
+ >>> person.document = secret_document
+
+ >>> request = TestRequest()
+
+ >>> widget = setupWidget(document, person, request)
+ >>> u'Secret' not in widget()
+ True
+
+And now, let's try with the public one
+
+ >>> person = Person()
+ >>> person.document = public_document
+
+ >>> request = TestRequest()
+
+ >>> widget = setupWidget(document, person, request)
+ >>> u'Public' in widget()
+ True
+
+
Todo
----
Modified: z3c.formwidget.query/trunk/src/z3c/formwidget/query/widget.py
===================================================================
--- z3c.formwidget.query/trunk/src/z3c/formwidget/query/widget.py 2012-02-09 07:28:18 UTC (rev 124342)
+++ z3c.formwidget.query/trunk/src/z3c/formwidget/query/widget.py 2012-02-09 15:08:30 UTC (rev 124343)
@@ -3,8 +3,11 @@
import zope.schema
import zope.schema.interfaces
+from zope.security import checkPermission
+
from zope.schema.vocabulary import SimpleVocabulary
from zope.schema.interfaces import ISource, IContextSourceBinder
+from AccessControl.interfaces import IRoleManager
import z3c.form.interfaces
import z3c.form.button
@@ -136,6 +139,9 @@
for value in selection:
if not value:
continue
+ if IRoleManager.providedBy(value):
+ if not checkPermission('zope2.View', value):
+ continue
try:
terms.append(source.getTerm(value))
except LookupError:
More information about the checkins
mailing list