[Zope-Checkins] SVN: Zope/branches/2.12/ make sure that the browser:view directive doesn't clobber security declarations for attributes which are not included in allowed_attributes or allowed_interface but which already have security declarations in a base class's security info. This is needed to provide access to, e.g., restrictedTraverse on views that subclass Traversable

David Glick davidglick at onenw.org
Fri Jul 16 01:56:27 EDT 2010


Log message for revision 114789:
  make sure that the browser:view directive doesn't clobber security declarations for attributes which are not included in allowed_attributes or allowed_interface but which already have security declarations in a base class's security info. This is needed to provide access to, e.g., restrictedTraverse on views that subclass Traversable

Changed:
  U   Zope/branches/2.12/doc/CHANGES.rst
  U   Zope/branches/2.12/src/Products/Five/browser/metaconfigure.py
  U   Zope/branches/2.12/src/Products/Five/browser/tests/pages.py
  U   Zope/branches/2.12/src/Products/Five/browser/tests/pages.txt
  U   Zope/branches/2.12/src/Products/Five/browser/tests/pages.zcml
  U   Zope/branches/2.12/src/Products/Five/security.py

-=-
Modified: Zope/branches/2.12/doc/CHANGES.rst
===================================================================
--- Zope/branches/2.12/doc/CHANGES.rst	2010-07-15 19:52:12 UTC (rev 114788)
+++ Zope/branches/2.12/doc/CHANGES.rst	2010-07-16 05:56:26 UTC (rev 114789)
@@ -11,6 +11,12 @@
 Bugs Fixed
 ++++++++++
 
+- Fix support for non-public permission attributes in the
+  browser:view directive so that attributes which are not included in
+  allowed_interface or allowed_attributes but which have declarations from a
+  base class's security info don't get their security overwritten to be
+  private.
+
 - LP #143755: Also catch TypeError when trying to determine an 
   indexable value for an object in PluginIndexes.common.UnIndex
 

Modified: Zope/branches/2.12/src/Products/Five/browser/metaconfigure.py
===================================================================
--- Zope/branches/2.12/src/Products/Five/browser/metaconfigure.py	2010-07-15 19:52:12 UTC (rev 114788)
+++ Zope/branches/2.12/src/Products/Five/browser/metaconfigure.py	2010-07-16 05:56:26 UTC (rev 114789)
@@ -315,7 +315,7 @@
             _context.action(
                 discriminator = ('five:protectName', newclass, attr),
                 callable = protectName,
-                args = (newclass, attr, CheckerPrivateId)
+                args = (newclass, attr, CheckerPrivateId, False)
                 )
         
         # Protect the class

Modified: Zope/branches/2.12/src/Products/Five/browser/tests/pages.py
===================================================================
--- Zope/branches/2.12/src/Products/Five/browser/tests/pages.py	2010-07-15 19:52:12 UTC (rev 114788)
+++ Zope/branches/2.12/src/Products/Five/browser/tests/pages.py	2010-07-16 05:56:26 UTC (rev 114789)
@@ -17,6 +17,7 @@
 """
 from Products.Five import BrowserView
 from Products.Five.browser.pagetemplatefile import ViewPageTemplateFile
+from OFS.SimpleItem import SimpleItem
 
 class SimpleView(BrowserView):
     """More docstring. Please Zope"""
@@ -40,6 +41,11 @@
     def __call__(self):
         return u"I was __call__()'ed"
 
+class PermissionView(BrowserView, SimpleItem):
+    
+    def __call__(self):
+        return u"I was __call__()'ed"
+
 class CallTemplate(BrowserView):
 
     __call__ = ViewPageTemplateFile('falcon.pt')

Modified: Zope/branches/2.12/src/Products/Five/browser/tests/pages.txt
===================================================================
--- Zope/branches/2.12/src/Products/Five/browser/tests/pages.txt	2010-07-15 19:52:12 UTC (rev 114788)
+++ Zope/branches/2.12/src/Products/Five/browser/tests/pages.txt	2010-07-16 05:56:26 UTC (rev 114789)
@@ -275,6 +275,13 @@
   >>> aq_parent(aq_inner(context))
   <Folder at /test_folder_1_> 
 
+Make sure that methods which are not included in the allowed interface or
+attributes, but which already had security declarations from a base class,
+don't get those declarations overridden to be private. (The roles for
+restrictedTraverse should be None, indicating it is public.)
+
+  >>> view.restrictedTraverse__roles__
+
 High-level security
 -------------------
 

Modified: Zope/branches/2.12/src/Products/Five/browser/tests/pages.zcml
===================================================================
--- Zope/branches/2.12/src/Products/Five/browser/tests/pages.zcml	2010-07-15 19:52:12 UTC (rev 114788)
+++ Zope/branches/2.12/src/Products/Five/browser/tests/pages.zcml	2010-07-16 05:56:26 UTC (rev 114789)
@@ -237,7 +237,7 @@
   <browser:view
       name="permission_view"
       for="Products.Five.tests.testing.simplecontent.ISimpleContent"
-      class=".pages.CallView"
+      class=".pages.PermissionView"
       permission="zope2.ViewManagementScreens"
       />
   

Modified: Zope/branches/2.12/src/Products/Five/security.py
===================================================================
--- Zope/branches/2.12/src/Products/Five/security.py	2010-07-15 19:52:12 UTC (rev 114788)
+++ Zope/branches/2.12/src/Products/Five/security.py	2010-07-16 05:56:26 UTC (rev 114789)
@@ -127,12 +127,15 @@
     setattr(klass, '__security__', security)
     return security
 
-def protectName(klass, name, permission_id):
+def protectName(klass, name, permission_id, override_existing_protection=True):
     """Protect the attribute 'name' on 'klass' using the given
        permission"""
     security = _getSecurity(klass)
     # Zope 2 uses string, not unicode yet
     name = str(name)
+    if not override_existing_protection and ('%s__roles__' % name) in dir(klass):
+        # There is already a declaration for this name from a base class.
+        return
     if permission_id == CheckerPublicId or permission_id is CheckerPublic:
         # Sometimes, we already get a processed permission id, which
         # can mean that 'zope.Public' has been interchanged for the



More information about the Zope-Checkins mailing list