[Zope-Checkins] CVS: Zope3/lib/python/Zope/App/Security - AnnotationPrincipalPermissionManager.py:1.1.2.3 AnnotationRolePermissionManager.py:1.1.2.3 PermissionRegistry.py:1.1.2.17 PrincipalPermissionView.py:1.1.2.5 PrincipalRegistry.py:1.1.2.15 PrincipalRoleView.py:1.1.2.6 RolePermissionView.py:1.1.2.11 Zope3RoleManagement.py:1.1.2.3 ZopeSecurityPolicy.py:1.1.2.27 metaConfigure.py:1.1.2.27 protectClass.py:1.1.2.15 security-meta.zcml:1.1.2.6 security.zcml:1.1.2.9 publicClass.py:NONE

Jim Fulton jim@zope.com
Fri, 7 Jun 2002 10:41:48 -0400


Update of /cvs-repository/Zope3/lib/python/Zope/App/Security
In directory cvs.zope.org:/tmp/cvs-serv12187/lib/python/Zope/App/Security

Modified Files:
      Tag: Zope-3x-branch
	AnnotationPrincipalPermissionManager.py 
	AnnotationRolePermissionManager.py PermissionRegistry.py 
	PrincipalPermissionView.py PrincipalRegistry.py 
	PrincipalRoleView.py RolePermissionView.py 
	Zope3RoleManagement.py ZopeSecurityPolicy.py metaConfigure.py 
	protectClass.py security-meta.zcml security.zcml 
Removed Files:
      Tag: Zope-3x-branch
	publicClass.py 
Log Message:
Merging in Zope3InWonderland-branch, which implemented the following
proposals (see
http://dev.zope.org/Wikis/DevSite/Projects/ComponentArchitecture/OldProposals): 
- RenameAllowToRequire

- GroupClassRelatedDirectivesInClassDirective

- ViewInterfaceAndSimplification

- ConsistentUseOfSpacesAsDelimitersInZCMLAttributes

- TwoArgumentViewConstructors

- ImplementsInZCML

- SimpleViewCreationInZCML

- RemoveGetView

- ReplaceProtectWithAllow

- ViewMethodsAsViews

- MergeProtectionAndComponentDefinitions

There were also various security fixes resulting of better integration
of security with components.


=== Zope3/lib/python/Zope/App/Security/AnnotationPrincipalPermissionManager.py 1.1.2.2 => 1.1.2.3 ===
         """ Get the principal permission map stored in the context, optionally
             creating one if necessary """
-        annotations = getAdapter(self._context, IAnnotations)
+        # need to remove security proxies here, otherwise we enter
+        # an infinite loop, becuase checking security depends on
+        # getting PrincipalPermissions.
+        from Zope.Proxy.ProxyIntrospection import removeAllProxies
+        context = removeAllProxies(self._context)
+        annotations = getAdapter(context, IAnnotations)
         try:
             return annotations[annotation_key]
         except KeyError:


=== Zope3/lib/python/Zope/App/Security/AnnotationRolePermissionManager.py 1.1.2.2 => 1.1.2.3 ===
         """Get the role permission map stored in the context, optionally
            creating one if necessary"""
-        annotations = getAdapter(self._context, IAnnotations)
+        # need to remove security proxies here, otherwise we enter
+        # an infinite loop, becuase checking security depends on
+        # getting RolePermissions.
+        from Zope.Proxy.ProxyIntrospection import removeAllProxies
+        context = removeAllProxies(self._context)
+        annotations = getAdapter(context, IAnnotations)
         try:
             return annotations[annotation_key]
         except KeyError:


=== Zope3/lib/python/Zope/App/Security/PermissionRegistry.py 1.1.2.16 => 1.1.2.17 ===
         """Define a new permission object, register, and return it.
 
-        name is the permission name, must be globally unique
+        permission is the permission name, must be globally unique
 
         title is the permission title, human readable.
 
         description (optional) is human readable
         """
+        if permission.startswith('.'):
+            raise ValueError("permissions must not start with a '.'")
         return self.register(permission, title, description)
 
     def definedPermission(self, permission_id):


=== Zope3/lib/python/Zope/App/Security/PrincipalPermissionView.py 1.1.2.4 => 1.1.2.5 ===
 
 from Zope.App.PageTemplate import ViewPageTemplateFile
-from Zope.Publisher.Browser.AttributePublisher import AttributePublisher
+from Zope.Publisher.Browser.BrowserView import BrowserView
 from Zope.ComponentArchitecture.ContextDependent import ContextDependent
 from Zope.ComponentArchitecture import getService, getAdapter
 from IPrincipalPermissionMap import IPrincipalPermissionMap
 from IPrincipalPermissionManager import IPrincipalPermissionManager
 from Settings import Allow, Deny, Unset
 
-class PrincipalPermissionView(AttributePublisher, ContextDependent):
+class PrincipalPermissionView(BrowserView):
 
     index = ViewPageTemplateFile('pt/principal_permission_edit.pt')
 
     def get_permission_service(self):
-        return getService(self.getContext(), 'PermissionService')
+        return getService(self.context, 'PermissionService')
 
     def get_principal(self, principal_id):
-        return getService(self.getContext(),
+        return getService(self.context,
                           'AuthenticationService'
                           ).getPrincipal(principal_id)
 
@@ -41,7 +41,7 @@
         """Form action unsetting a principals permissions"""
         permission_service = self.get_permission_service()
         principal = self.get_principal(principal_id)
-        ppm = getAdapter(self.getContext(), IPrincipalPermissionManager)
+        ppm = getAdapter(self.context, IPrincipalPermissionManager)
 
         for perm_id in permission_ids:
             permission = permission_service.getPermission(perm_id)
@@ -55,7 +55,7 @@
         """Form action granting a list of permissions to a principal"""
         permission_service = self.get_permission_service()
         principal = self.get_principal(principal_id)
-        ppm = getAdapter(self.getContext(), IPrincipalPermissionManager)
+        ppm = getAdapter(self.context, IPrincipalPermissionManager)
 
         for perm_id in permission_ids:
             permission = permission_service.getPermission(perm_id)
@@ -68,7 +68,7 @@
         """Form action denying a list of permissions for a principal"""
         permission_service = self.get_permission_service()
         principal = self.get_principal(principal_id)
-        ppm = getAdapter(self.getContext(), IPrincipalPermissionManager)
+        ppm = getAdapter(self.context, IPrincipalPermissionManager)
 
         for perm_id in permission_ids:
             permission = permission_service.getPermission(perm_id)
@@ -81,9 +81,9 @@
     def getUnsetPermissionsForPrincipal(self, principal_id):
         """Returns all unset permissions for this principal"""
 
-        ppmap = getAdapter(self.getContext(), IPrincipalPermissionMap)
+        ppmap = getAdapter(self.context, IPrincipalPermissionMap)
         principal = self.get_principal(principal_id)
-        perm_serv = getService(self.getContext(), 'PermissionService')
+        perm_serv = getService(self.context, 'PermissionService')
         result = []
         for perm in perm_serv.getPermissions():
             if ppmap.getSetting(perm, principal) == Unset:
@@ -98,7 +98,7 @@
            Return empty list if there are no permissions.
         """
     
-        ppmap = getAdapter(self.getContext(), IPrincipalPermissionMap)
+        ppmap = getAdapter(self.context, IPrincipalPermissionMap)
         principal = self.get_principal(principal_id)
         
         permission_settings = ppmap.getPermissionsForPrincipal(principal)


=== Zope3/lib/python/Zope/App/Security/PrincipalRegistry.py 1.1.2.14 => 1.1.2.15 ===
 from Zope.Exceptions import NotFoundError
 from ILoginPassword import ILoginPassword
-from Zope.ComponentArchitecture import getAdapter
+from Zope.ComponentArchitecture import getAdapter, queryAdapter
 
 class DuplicateLogin(Exception): pass
 class DuplicateId(Exception): pass
@@ -33,7 +33,7 @@
     # Methods implementing IAuthenticationService
     
     def authenticate(self, request):
-        a = getAdapter(request, ILoginPassword, None)
+        a = queryAdapter(request, ILoginPassword, None)
         if a is not None:
             login = a.getLogin()
             if login is not None:


=== Zope3/lib/python/Zope/App/Security/PrincipalRoleView.py 1.1.2.5 => 1.1.2.6 ===
 import time
 from Zope.App.PageTemplate import ViewPageTemplateFile
-from Zope.Publisher.Browser.AttributePublisher import AttributePublisher
+from Zope.Publisher.Browser.BrowserView import BrowserView
 from Zope.ComponentArchitecture.ContextDependent import ContextDependent
 from Zope.ComponentArchitecture import getService, getAdapter
 
@@ -29,7 +29,7 @@
 from Zope.App.Security.IPermission import IPermission
 from Zope.App.Security.IRole import IRole
 
-class PrincipalRoleView(AttributePublisher, ContextDependent):
+class PrincipalRoleView(BrowserView):
 
     index = ViewPageTemplateFile('pt/principal_role_association.pt')
 
@@ -39,7 +39,7 @@
 
         if principals is None:
             principals = self._principals = getService(
-                self.getContext(), 'AuthenticationService'
+                self.context, 'AuthenticationService'
                 ).getPrincipals()
 
         return principals
@@ -49,8 +49,7 @@
         roles = getattr(self, '_roles', None)
 
         if roles is None:
-            roles = self._roles = getService(
-                self.getContext(), 'RoleService'
+            roles = self._roles = getService(self.context, 'RoleService'
                 ).getRoles()
 
         return roles
@@ -63,7 +62,7 @@
         if not roles:
             roles = self.getAllRoles()
 
-        return PrincipalRoleGrid( principals, roles, self.getContext() )
+        return PrincipalRoleGrid( principals, roles, self.context )
         
     def action(self, principals, roles, mapping, testing=None):
 


=== Zope3/lib/python/Zope/App/Security/RolePermissionView.py 1.1.2.10 => 1.1.2.11 ===
 import os, time
 from Zope.App.PageTemplate import ViewPageTemplateFile
-from Zope.Publisher.Browser.AttributePublisher import AttributePublisher
+from Zope.Publisher.Browser.BrowserView import BrowserView
 from Zope.ComponentArchitecture.ContextDependent import ContextDependent
 from Zope.ComponentArchitecture import getService, getAdapter
 from Zope.App.Security.IRolePermissionManager import IRolePermissionManager
@@ -26,7 +26,7 @@
 from Zope.App.Security.IRole import IRole
 from Zope.App.Security.Settings import Allow, Assign
 
-class RolePermissionView(AttributePublisher, ContextDependent):
+class RolePermissionView(BrowserView):
 
     index = ViewPageTemplateFile('pt/manage_access.pt')
     manage_permissionForm = ViewPageTemplateFile('pt/manage_permissionForm.pt')
@@ -36,7 +36,7 @@
         roles = getattr(self, '_roles', None)
         if roles is None:
             roles = self._roles = getService(
-                self.getContext(), 'RoleService'
+                self.context, 'RoleService'
                 ).getRoles()
         return roles
 
@@ -44,26 +44,26 @@
         permissions = getattr(self, '_permissions', None)
         if permissions is None:
             permissions = self._permissions = getService(
-                self.getContext(), 'PermissionService'
+                self.context, 'PermissionService'
                 ).getPermissions()
         return permissions
 
         
     def permissionRoles(self):
-        context = self.getContext()
+        context = self.context
         roles = self.roles()
         return [PermissionRoles(permission, context, roles)
                 for permission in self.permissions()]
 
     def permissionForID(self, pid):
-        context = self.getContext()
+        context = self.context
         roles = self.roles()
         perm = getService(context, 'PermissionService'
                           ).getPermission(pid)
         return PermissionRoles(perm, context, roles)
 
     def roleForID(self, rid):
-        context = self.getContext()
+        context = self.context
         permissions = self.permissions()
         role = getService(context, 'RoleService'
                           ).getRole(rid)
@@ -73,7 +73,7 @@
     def action(self, REQUEST, testing=None):
         roles       = [r.getId() for r in self.roles()]
         permissions = [p.getId() for p in self.permissions()]
-        prm         = getAdapter(self.getContext(), IRolePermissionManager)
+        prm         = getAdapter(self.context, IRolePermissionManager)
         for ip in range(len(permissions)):
             rperm = REQUEST.get("p%s" % ip)
             if rperm not in permissions: continue
@@ -92,7 +92,7 @@
 
     def update_permission(self, REQUEST, permission_id,
                           roles=(), testing=None):
-        prm = getAdapter(self.getContext(), IRolePermissionManager)
+        prm = getAdapter(self.context, IRolePermissionManager)
 
         for ir in [r.getId() for r in self.roles()]:
             if ir in roles:
@@ -107,7 +107,7 @@
 
     def update_role(self, REQUEST, role_id,
                     permissions=(), testing=None):
-        prm = getAdapter(self.getContext(), IRolePermissionManager)
+        prm = getAdapter(self.context, IRolePermissionManager)
 
         for ip in [p.getId() for p in self.permissions()]:
             if ip in permissions:


=== Zope3/lib/python/Zope/App/Security/Zope3RoleManagement.py 1.1.2.2 => 1.1.2.3 ===
     """
 
-    __implements__ = ( IRoleManagement, )
+    __implements__ = (IRoleManagement, )
 
-    def __init__( self, context ):
-        self._context = context
+    def __init__(self, context):
+        self.context = context
 
-    
-    def getContext( self ):
-        return self._context
 
     def _getContextBindings( self ):
         """
             Find or create the permission-role bindings for our context.
         """
-        bindings = getattr( self._context, SPECIAL_ATTRIBUTE_NAME, None )
+        bindings = getattr( self.context, SPECIAL_ATTRIBUTE_NAME, None )
 
         if bindings is None:
             bindings = _PermissionRoleBindings()
-            setattr( self._context, SPECIAL_ATTRIBUTE_NAME, bindings )
+            setattr( self.context, SPECIAL_ATTRIBUTE_NAME, bindings )
 
         return bindings
 


=== Zope3/lib/python/Zope/App/Security/ZopeSecurityPolicy.py 1.1.2.26 => 1.1.2.27 ===
 __version__='$Revision$'[11:-2]
 
-from Zope.ComponentArchitecture import getAdapter
+from Zope.ComponentArchitecture import queryAdapter
 from Zope.Proxy.ContextWrapper import ContainmentIterator
 from Zope.Exceptions import Unauthorized, Forbidden
 from Zope.App.Security.IRolePermissionManager import IRolePermissionManager
@@ -83,7 +83,7 @@
         # Check the placeful principal permissions and aggregate the
         # Roles in this context
         for c in ContainmentIterator(object):
-            ppm = getAdapter(c, IPrincipalPermissionManager, None, globalContext)
+            ppm = queryAdapter(c, IPrincipalPermissionManager, None, globalContext)
             if ppm is not None: 
                 for principal in principals.keys():
                     setting = ppm.getSetting(permission, principal)
@@ -92,7 +92,7 @@
                     elif setting is Allow:
                         return 1 # Explicit allow on principal
                     
-            prm = getAdapter(c, IPrincipalRoleManager, None, globalContext)
+            prm = queryAdapter(c, IPrincipalRoleManager, None, globalContext)
             if prm is not None:
                 for principal in principals.keys():
                     for role, setting in prm.getRolesForPrincipal(principal):
@@ -121,7 +121,7 @@
                         
         # Check the placeful role permissions, checking anonymous first
         for c in ContainmentIterator(object):
-            rpm = getAdapter(c, IRolePermissionManager, None, globalContext)
+            rpm = queryAdapter(c, IRolePermissionManager, None, globalContext)
             if rpm is not None:
                 for role in ['Anonymous'] + assigned_roles.keys():
                     setting = rpm.getSetting(permission, role)


=== Zope3/lib/python/Zope/App/Security/metaConfigure.py 1.1.2.26 => 1.1.2.27 ===
 $Id$
 """
-
-
-from protectClass import protectClass
-from publicClass import publicClass
 from PermissionRegistry import permissionRegistry as perm_reg
 from RoleRegistry import roleRegistry as role_reg
 from Zope.Security.SecurityManager import setSecurityPolicy
@@ -41,68 +37,68 @@
             )
         ]
 
-def definePermission(_context, permission_id, title, description=''):
+def definePermission(_context, id, title, description=''):
     return [
         Action(
-            discriminator = ('definePermission', permission_id),
+            discriminator = ('definePermission', id),
             callable = perm_reg.definePermission,
-            args = (permission_id, title, description),
+            args = (id, title, description),
             )
         ]
 
-def defineRole(_context, role_id, title, description=''):
+def defineRole(_context, id, title, description=''):
     return [
         Action(
-            discriminator = ('defineRole', role_id),
+            discriminator = ('defineRole', id),
             callable = role_reg.defineRole,
-            args = (role_id, title, description),
+            args = (id, title, description),
             )
         ]
 
-def principal(_context, principal_id, title, login, password, description=''):
+def principal(_context, id, title, login, password, description=''):
     return [
         Action(
-            discriminator = ('principal', principal_id),
+            discriminator = ('principal', id),
             callable = principalRegistry.definePrincipal,
-            args = (principal_id, title, description, login, password),
+            args = (id, title, description, login, password),
             )
         ]
 
-def defaultPrincipal(_context, principal_id, title, description=''):
+def defaultPrincipal(_context, id, title, description=''):
     return [
         Action(
             discriminator = 'defaultPrincipal',
             callable = principalRegistry.defineDefaultPrincipal,
-            args = (principal_id, title, description),
+            args = (id, title, description),
             )
         ]
 
-def grantPermissionToRole(_context, permission_id, role_id):
+def grantPermissionToRole(_context, permission, role):
     return [
         Action(
-            discriminator = ('grantPermissionToRole', permission_id, role_id),
+            discriminator = ('grantPermissionToRole', permission, role),
             callable = role_perm_mgr.grantPermissionToRole,
-            args = (permission_id, role_id),
+            args = (permission, role),
             )
         ]
 
-def grantPermissionToPrincipal(_context, permission_id, principal_id):
+def grantPermissionToPrincipal(_context, permission, principal):
     return [
         Action(
             discriminator = ('grantPermissionToPrincipal', 
-                             permission_id,
-                             principal_id),
+                             permission,
+                             principal),
             callable = principal_perm_mgr.grantPermissionToPrincipal,
-            args = (permission_id, principal_id),
+            args = (permission, principal),
         )
     ]
 
-def assignRoleToPrincipal(_context, role_id, principal_id):
+def assignRoleToPrincipal(_context, role, principal):
     return [
         Action(
-            discriminator = ('assignRoleToPrincipal', role_id, principal_id),
+            discriminator = ('assignRoleToPrincipal', role, principal),
             callable = principal_role_mgr.assignRoleToPrincipal,
-            args = (role_id, principal_id),
+            args = (role, principal),
         )
     ]
 


=== Zope3/lib/python/Zope/App/Security/protectClass.py 1.1.2.14 => 1.1.2.15 ===
 """
 
-from Interface.Method import Method
 from Exceptions import UndefinedPermissionError
 from PermissionRegistry import permissionRegistry
 
-from Zope.Configuration.ConfigurationDirectiveInterfaces \
-     import INonEmptyDirective
-from Zope.Configuration.Action import Action
-
 from Zope.Security.Checker import defineChecker, getCheckerForInstancesOf
 from Zope.Security.Checker import Checker, CheckerPublic
 
-class ProtectionDeclarationException(Exception):
-    """Security-protection-specific exceptions."""
-    pass
-
-
-class protectClass:
-
-    __class_implements__ = INonEmptyDirective    
-    
-    def __init__(self, _context, class_, permission_id=None, interface=None,
-                 names=None, like_unto=None):
-        self.__class = _context.resolve(class_)
-        self.__name = class_
-        self.__permission_id = permission_id
-        self.__like_unto = like_unto
-        self.__context = _context
-        self.__r = self.protect(_context, permission_id, interface, names,
-                                like_unto)
-
-    # ._getPermission() is handy for subclassing with different permission
-    # policy, eg publicClass.
-    def _getPermission(self, permission_id=None):
-        """Return the permission to use.
-
-        Consider optional permission argument and permission specified on
-        class init."""
-        if permission_id is None:
-            permission_id = self.__permission_id
-        if permission_id is None:
-            raise ProtectionDeclarationException("No permission specified")
-        else:
-            return permission_id
-
-    def protect(self, _context, permission_id=None, interface=None,
-                names=None, like_unto=None):
-        "Protect a specific aspect"
-
-        r = []
-
-        if like_unto:
-            self.__protectLikeUnto(like_unto, r)
-
-        if not (interface or names):
-            return r
-        
-        permission_id = self._getPermission(permission_id)
-
-
-        if interface:
-            self.__protectByInterface(interface, permission_id, r)
-        if names:
-            self.__protectNames(names, permission_id, r)
-
-        return r
-
-    def __protectName(self, name, permission_id, r):
-        "Set a permission on a particular name."
-        r.append((
-            ('protectName', self.__class, name),
-            protectName, (self.__class, name, permission_id)))
-
-    def __protectNames(self, names, permission_id, r):
-        "Set a permission on a bunch of names."
-        for name in names.split(","):
-            self.__protectName(name.strip(), permission_id, r)
-
-    def __protectByInterface(self, interface, permission_id, r):
-        "Set a permission on names in an interface."
-        interface = self.__context.resolve(interface)
-        for n, d in interface.namesAndDescriptions(1):
-            self.__protectName(n, permission_id, r)
-
-    def __protectLikeUnto(self, like_unto, r):
-        "Set a permission on names in an interface."
-        like_unto = self.__context.resolve(like_unto)
-        r.append(
-            Action(discriminator=('protectLikeUnto', self.__class, object()),
-                   callable=protectLikeUnto,
-                   args=(self.__class, like_unto),
-                   )
-            )
-
-    def __call__(self):
-        "Handle empty/simple declaration."
-        return self.__r
-
-def _checkPermission(permission_id):
+def checkPermission(permission):
     """Check to make sure that the permission is valid.
     """
-    
-    if not permissionRegistry.definedPermission(permission_id):
-        raise UndefinedPermissionError(permission_id)
+    if not permissionRegistry.definedPermission(permission):
+        raise UndefinedPermissionError(permission)
 
-def protectName(class_, name, permission_id):
+def protectName(class_, name, permission):
     "Set a permission on a particular name."
+    
+    checkPermission(permission)
+    
     checker = getCheckerForInstancesOf(class_)
     if checker is None:
         checker = Checker({}.get)
         defineChecker(class_, checker)
 
-    if permission_id == 'Zope.Public':
+    if permission == 'Zope.Public':
         # Translate public permission to CheckerPublic
-        permission_id = CheckerPublic
+        permission = CheckerPublic
 
     # OK, so it's a hack.
     protections = checker.getPermission_func().__self__    
-    protections[name] = permission_id
+    protections[name] = permission
 
 def protectLikeUnto(class_, like_unto):
     """Use the protections from like_unto for class_


=== Zope3/lib/python/Zope/App/Security/security-meta.zcml 1.1.2.5 => 1.1.2.6 ===
   <directives namespace="http://namespaces.zope.org/security">
     <directive name="permission"
-               attributes="permission_id, title, description"
+               attributes="id title description"
                handler="Zope.App.Security.metaConfigure.definePermission" />
     <directive name="role"
-               attributes="role_id, title, description"
+               attributes="id title description"
                handler="Zope.App.Security.metaConfigure.defineRole" />
-    <directive name="protectClass"
-               attributes="class, permission_id, interface, names"
-               handler="Zope.App.Security.protectClass.">
-      <subdirective name="protect"
-                    attributes="permission_id, interface, names" />
-      </directive>
-    <directive name="publicClass" attributes="class, interface, names"
-               handler="Zope.App.Security.publicClass." />
     <directive name="defaultPolicy" attributes="name"
        handler="Zope.App.Security.metaConfigure.defaultPolicy" />
-    <directive name="principal" attributes="principal_id, title, description"
+    <directive name="principal" attributes="id title description"
        handler="Zope.App.Security.metaConfigure.principal" />
     <directive name="defaultPrincipal" 
-               attributes="principal_id, title, description"
+               attributes="principal title description"
        handler="Zope.App.Security.metaConfigure.defaultPrincipal" />
-    <directive name="grantPermissionToRole" attributes="permission_id, role_id"
+    <directive name="grantPermissionToRole" attributes="permission role"
        handler="Zope.App.Security.metaConfigure.grantPermissionToRole" />
     <directive
        name="grantPermissionToPrincipal"
-       attributes="permission_id, principal_id"
+       attributes="permission principal"
        handler="Zope.App.Security.metaConfigure.grantPermissionToPrincipal" />
-    <directive name="assignRoleToPrincipal" attributes="role_id, principal_id"
+    <directive name="assignRoleToPrincipal" attributes="role principal"
        handler="Zope.App.Security.metaConfigure.assignRoleToPrincipal" />
   </directives>
 


=== Zope3/lib/python/Zope/App/Security/security.zcml 1.1.2.8 => 1.1.2.9 ===
 >
   <serviceType
-      name="RoleService" 
+      id="RoleService" 
       interface="Zope.App.Security.IRoleService." />
   <service
-      name="RoleService" 
+      serviceType="RoleService" 
       component="Zope.App.Security.RoleRegistry.roleRegistry" />
 
   <serviceType
-      name="PermissionService" 
+      id="PermissionService" 
       interface="Zope.App.Security.IPermissionService." />
   <service
-      name="PermissionService" 
+      serviceType="PermissionService" 
       component="Zope.App.Security.PermissionRegistry.permissionRegistry" />
 
   <serviceType
-      name="AuthenticationService" 
+      id="AuthenticationService" 
       interface="Zope.App.Security.IAuthenticationService." />
   <service
-      name="AuthenticationService" 
+      serviceType="AuthenticationService" 
       component="Zope.App.Security.PrincipalRegistry.principalRegistry" />
 
-<security:defaultPolicy 
-  name="Zope.App.Security.ZopeSecurityPolicy.zopeSecurityPolicy" />
+  <security:defaultPolicy 
+      name="Zope.App.Security.ZopeSecurityPolicy.zopeSecurityPolicy" />
 
-
-<adapter factory="Zope.App.Security.BasicAuthAdapter."
-         provides="Zope.App.Security.ILoginPassword."
-         for="Zope.Publisher.HTTP.IHTTPCredentials." />
-
-<adapter factory="Zope.App.Security.BasicVFSAuthAdapter."
-         provides="Zope.App.Security.ILoginPassword."
-         for="Zope.Publisher.VFS.IVFSCredentials." />
-
-<adapter factory="Zope.App.Security.BasicVFSAuthAdapter."
-         provides="Zope.App.Security.ILoginPassword."
-         for="Zope.Publisher.VFS.IVFSCredentials." />
+  <adapter factory="Zope.App.Security.BasicAuthAdapter."
+           provides="Zope.App.Security.ILoginPassword."
+           for="Zope.Publisher.HTTP.IHTTPCredentials." />
+
+  <adapter factory="Zope.App.Security.BasicVFSAuthAdapter."
+           provides="Zope.App.Security.ILoginPassword."
+           for="Zope.Publisher.VFS.IVFSCredentials." />
+
+  <adapter factory="Zope.App.Security.BasicVFSAuthAdapter."
+           provides="Zope.App.Security.ILoginPassword."
+           for="Zope.Publisher.VFS.IVFSCredentials." />
 
 
 <!-- Role-Permission management view -->
+
+  <content class=".RolePermissionView.PermissionRoles.">
+    <security:require   
+        permission="Zope.Security"
+        attributes="roles rolesInfo"
+        interface="Zope.App.Security.IRegisteredObject." />
+  </content>
   
-<security:protectClass class="Zope.App.Security.RolePermissionView."
-   permission_id="Zope.Security"
-   names="index, roles, permissions, permissionRoles, action,
-   manage_permissionForm, update_permission,
-   manage_roleForm, update_role, permissionForID" />
-
-<security:protectClass
-   class="Zope.App.Security.RolePermissionView.PermissionRoles."
-   permission_id="Zope.Security"
-   names="roles, rolesInfo"
-   interface="Zope.App.Security.IRegisteredObject." />
-
-
-<browser:view name="RolePermissionsManagement"
-              for="Zope.App.OFS.Annotation.IAnnotatable."
-              factory="Zope.App.Security.RolePermissionView." />
-
-<adapter factory=".AnnotationRolePermissionManager."
-         provides=".IRolePermissionManager."
-         for="Zope.App.OFS.Annotation.IAnnotatable." />
+  <browser:view for="Zope.App.OFS.Annotation.IAnnotatable."
+                permission="Zope.Security"
+                factory="Zope.App.Security.RolePermissionView.">
+
+    <browser:page name="AllRolePermissions.html" 
+                  attribute="index" />
+    <browser:page name="ChangeAllRolePermissions.html" 
+                  attribute="action" />
+    <browser:page name="RolePermissions.html" 
+                  attribute="manage_RoleForm" />
+    <browser:page name="ChangeRolePermissions.html" 
+                  attribute="update_role" />
+    <browser:page name="RolesWithPermission.html" 
+                  attribute="manage_permissionForm" />
+    <browser:page name="ChangeRolesWithPermission.html" 
+                  attribute="update_permission" />
+  </browser:view>
+
+  <adapter factory=".AnnotationRolePermissionManager."
+           provides=".IRolePermissionManager."
+           for="Zope.App.OFS.Annotation.IAnnotatable." />
 
 
 <!-- Principal-Permission management view -->
-  
-<security:protectClass class="Zope.App.Security.PrincipalPermissionView."
-   permission_id="Zope.Security"
-   names="index, get_principal, unsetPermissions, denyPermissions,
-   grantPermissions, getUnsetPermissionsForPrincipal,
-   getPermissionsForPrincipal" />
-
-
-<browser:view name="PrincipalPermissionsManagement"
-              for="Zope.App.OFS.Annotation.IAnnotatable."
-              factory="Zope.App.Security.PrincipalPermissionView." />
-
-<adapter factory=".AnnotationPrincipalPermissionManager."
-         provides=".IPrincipalPermissionManager."
-         for="Zope.App.OFS.Annotation.IAnnotatable." />
-
-
-<!-- protect Roles and Permissions -->
-<security:protectClass class="Zope.App.Security.RoleRegistry.Role"
-                       interface="Zope.App.Security.IRegisteredObject."
-                       permission_id="Zope.Public"/>
 
+  <content class=".PrincipalPermissionView.">
+    <security:require
+        permission="Zope.Security"
+        attributes="index get_principal unsetPermissions denyPermissions
+                    grantPermissions getUnsetPermissionsForPrincipal
+                    getPermissionsForPrincipal" />
+  </content>
+
+  <browser:view
+      name="PrincipalPermissionsManagement"
+      for="Zope.App.OFS.Annotation.IAnnotatable."
+      factory=".PrincipalPermissionView." />
+
+  <adapter factory=".AnnotationPrincipalPermissionManager."
+           provides=".IPrincipalPermissionManager."
+           for="Zope.App.OFS.Annotation.IAnnotatable." />
+
+
+  <!-- protect Roles and Permissions -->
+  <content class=".RoleRegistry.Role">
+    <security:allow
+        interface="Zope.App.Security.IRegisteredObject." />
+  </content>
+  
 </zopeConfigure>
 

=== Removed File Zope3/lib/python/Zope/App/Security/publicClass.py ===