[Zope3-checkins] CVS: Zope3/lib/python/Zope/App/Publisher/Browser - FileResource.py:1.7 ViewMeta.py:1.6

Steve Alexander steve@cat-box.net
Mon, 28 Oct 2002 13:41:49 -0500


Update of /cvs-repository/Zope3/lib/python/Zope/App/Publisher/Browser
In directory cvs.zope.org:/tmp/cvs-serv10546/python/Zope/App/Publisher/Browser

Modified Files:
	FileResource.py ViewMeta.py 
Log Message:
Fixed collector issue http://collector.zope.org/Zope3-dev/78

Resources and pages of named views are now wrapped with security
proxies at the factory.

Updated tests to remove proxies from views etc. when the test is not
concerned with security.


=== Zope3/lib/python/Zope/App/Publisher/Browser/FileResource.py 1.6 => 1.7 ===
--- Zope3/lib/python/Zope/App/Publisher/Browser/FileResource.py:1.6	Wed Jul 17 19:18:05 2002
+++ Zope3/lib/python/Zope/App/Publisher/Browser/FileResource.py	Mon Oct 28 13:41:18 2002
@@ -27,6 +27,8 @@
 from Zope.App.Publisher.Browser.Resource import Resource
 from Zope.Misc.DateTimeParse import time as timeFromDateTimeString
 
+from Zope.Security.Proxy import ProxyFactory
+
 class FileResource(BrowserView, Resource):
 
     __implements__ = IBrowserResource, IBrowserPublisher
@@ -119,7 +121,7 @@
         self.__file = File(path)
 
     def __call__(self, request):
-        return FileResource(self.__file, request)
+        return ProxyFactory(FileResource(self.__file, request))
 
 class ImageResourceFactory:
 
@@ -127,4 +129,4 @@
         self.__file = Image(path)
 
     def __call__(self, request):
-        return FileResource(self.__file, request)
+        return ProxyFactory(FileResource(self.__file, request))


=== Zope3/lib/python/Zope/App/Publisher/Browser/ViewMeta.py 1.5 => 1.6 ===
--- Zope3/lib/python/Zope/App/Publisher/Browser/ViewMeta.py:1.5	Tue Oct 22 15:17:23 2002
+++ Zope3/lib/python/Zope/App/Publisher/Browser/ViewMeta.py	Mon Oct 28 13:41:18 2002
@@ -102,6 +102,12 @@
             if self.__default is None:
                 self.__default = name
 
+            # Call super(view, self).page() in order to get the side
+            # effects. (At the time of writing, this is to increment
+            # self.pages by one.)
+            # Throw away the result, as all the pages are accessed by
+            # traversing the PageTraverser subclass.
+            super(view, self).page(_context, name, attribute)
             return ()
 
         factory = self.factory
@@ -199,7 +205,7 @@
             # needs to be rewrapped
             view.__Security_checker__ = checker
 
-            return view
+            return Proxy(view, checker)
 
         factory[-1] =  proxyView
 
@@ -224,20 +230,23 @@
                      (klass.__implements__, PageTraverser.__implements__),
                      }
         for name in self.__pages:
-            attribute, permission, template = self.__pages[name] 
+            attribute, permission, template = self.__pages[name]
+
+            # We need to set the default permission on pages if the pages
+            # don't already have a permission explicitly set
+            permission = permission or self.permission
             if permission == 'Zope.Public':
                 permission = CheckerPublic
 
-            if attribute:
-                require[attribute] = permission
-            else:
+            if not attribute:
                 attribute = name
-                require[attribute] = permission
+
+            require[attribute] = permission
 
             if template:
                 klassdict[attribute] = ViewPageTemplateFile(template)
 
-            klassdict['_PageTraverser__pages'][name] = attribute
+            klassdict['_PageTraverser__pages'][name] = attribute, permission
 
         klass = type(klass.__name__,
                      (klass, PageTraverser, object),
@@ -245,6 +254,12 @@
         factory[-1] = klass
         self.factory = factory
 
+        permission_for_browser_publisher = self.permission
+        if permission_for_browser_publisher == 'Zope.Public':
+            permission_for_browser_publisher = CheckerPublic
+        for name in IBrowserPublisher.names(all=1):
+            require[name] = permission_for_browser_publisher
+       
         return super(view, self).__call__(require=require)
 
 
@@ -253,7 +268,10 @@
     __implements__ = IBrowserPublisher
 
     def publishTraverse(self, request, name):
-        return getattr(self, self._PageTraverser__pages[name])
+        attribute, permission = self._PageTraverser__pages[name]
+        return Proxy(getattr(self, attribute),
+                     NamesChecker(__call__=permission)
+                     )
 
     def browserDefault(self, request):
         return self, (self._PageTraverser__default, )