[Zope3-checkins] SVN: Zope3/trunk/src/zope/app/ Container contents view handles zope.View and zope.app.dublincore.view permissions correctly. Ftests included.

Garrett Smith garrett at mojave-corp.com
Fri Jul 23 10:03:07 EDT 2004 

Log message for revision 26701:
  Container contents view handles zope.View and zope.app.dublincore.view permissions correctly. Ftests included.


Changed:
  U   Zope3/trunk/src/zope/app/container/browser/contents.pt
  U   Zope3/trunk/src/zope/app/container/browser/contents.py
  A   Zope3/trunk/src/zope/app/container/ftests/
  A   Zope3/trunk/src/zope/app/container/ftests/__init__.py
  A   Zope3/trunk/src/zope/app/container/ftests/test_view_permissions.py
  U   Zope3/trunk/src/zope/app/pagetemplate/talesapi.py


-=-
Modified: Zope3/trunk/src/zope/app/container/browser/contents.pt
===================================================================
--- Zope3/trunk/src/zope/app/container/browser/contents.pt	2004-07-23 13:57:45 UTC (rev 26700)
+++ Zope3/trunk/src/zope/app/container/browser/contents.pt	2004-07-23 14:03:07 UTC (rev 26701)
@@ -100,9 +100,8 @@
                  >&nbsp;&nbsp;&nbsp;&nbsp;</span>
             </td>
 
-            <td><span tal:attributes="size item/size/sizeForSorting"
-                      tal:content="item/size/sizeForDisplay"
-                      >&nbsp;</span></td>
+            <td><span tal:content="item/size/sizeForDisplay|nothing">
+                      &nbsp;</span></td>
             <td><span tal:define="created item/created|default"
                       tal:content="created">&nbsp;</span></td>
             <td><span tal:define="modified item/modified|default"

Modified: Zope3/trunk/src/zope/app/container/browser/contents.py
===================================================================
--- Zope3/trunk/src/zope/app/container/browser/contents.py	2004-07-23 13:57:45 UTC (rev 26700)
+++ Zope3/trunk/src/zope/app/container/browser/contents.py	2004-07-23 14:03:07 UTC (rev 26701)
@@ -17,7 +17,8 @@
 """
 __docformat__ = 'restructuredtext'
 
-from zope.exceptions import NotFoundError
+from zope.exceptions import NotFoundError, Unauthorized
+from zope.security import checkPermission
 
 from zope.app import zapi
 from zope.app.size.interfaces import ISized
@@ -158,21 +159,22 @@
 
         dc = IZopeDublinCore(obj, None)
         if dc is not None:
-            info['retitleable'] = id != retitle_id
+            info['retitleable'] = checkPermission(
+                'zope.app.dublincore.change', dc) and id != retitle_id
             info['plaintitle'] = 0
 
-            title = dc.title
+            title = self.safe_getattr(dc, 'title', None)
             if title:
                 info['title'] = title
 
             formatter = self.request.locale.dates.getFormatter(
                 'dateTime', 'short')
 
-            created = dc.created
+            created = self.safe_getattr(dc, 'created', None)
             if created is not None:
                 info['created'] = formatter.format(created)
 
-            modified = dc.modified
+            modified = self.safe_getattr(dc, 'modified', None)
             if modified is not None:
                 info['modified'] = formatter.format(modified)
         else:
@@ -185,6 +187,13 @@
             info['size'] = sized_adapter
         return info
 
+    def safe_getattr(self, obj, attr, default):
+        """Attempts to read the attr, returning default if Unauthorized."""
+        try:
+            return getattr(obj, attr, default)
+        except Unauthorized:
+            return default
+
     def renameObjects(self):
         """Given a sequence of tuples of old, new ids we rename"""
         request = self.request

Added: Zope3/trunk/src/zope/app/container/ftests/__init__.py
===================================================================
--- Zope3/trunk/src/zope/app/container/ftests/__init__.py	2004-07-23 13:57:45 UTC (rev 26700)
+++ Zope3/trunk/src/zope/app/container/ftests/__init__.py	2004-07-23 14:03:07 UTC (rev 26701)
@@ -0,0 +1,2 @@
+#
+# This file is necessary to make this directory a package.

Added: Zope3/trunk/src/zope/app/container/ftests/test_view_permissions.py
===================================================================
--- Zope3/trunk/src/zope/app/container/ftests/test_view_permissions.py	2004-07-23 13:57:45 UTC (rev 26700)
+++ Zope3/trunk/src/zope/app/container/ftests/test_view_permissions.py	2004-07-23 14:03:07 UTC (rev 26701)
@@ -0,0 +1,102 @@
+##############################################################################
+#
+# Copyright (c) 2004 Zope Corporation and Contributors.
+# All Rights Reserved.
+#
+# This software is subject to the provisions of the Zope Public License,
+# Version 2.1 (ZPL).  A copy of the ZPL should accompany this distribution.
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED
+# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
+# FOR A PARTICULAR PURPOSE.
+#
+##############################################################################
+"""Container View Permissions Tests
+
+$Id: $
+"""
+import unittest
+from transaction import get_transaction
+
+from zope.exceptions import Unauthorized
+
+from zope.app.tests.functional import BrowserTestCase
+from zope.app.file import File
+from zope.app.dublincore.interfaces import IZopeDublinCore
+from zope.app.securitypolicy.interfaces import IRolePermissionManager
+
+
+class Tests(BrowserTestCase):
+
+    def test_default_view_permissions(self):
+        """Tests the default view permissions.
+
+        See zope/app/securitypolicy/configure.zcml for the grants of
+        zope.View and zope.app.dublincore.view to zope.Anonymous. These
+        ensure that, by default, anonymous users can view container contents.
+        """
+        # add an item that can be viewed from the root folder
+        file = File()
+        self.getRootFolder()['file'] = file
+        IZopeDublinCore(file).title = u'My File'
+        get_transaction().commit()
+
+        response = self.publish('/')
+        self.assertEquals(response.getStatus(), 200)
+        body = response.getBody()
+
+        # confirm we can see the file name
+        self.assert_(body.find('<a href="file">file</a>') != -1)
+
+        # confirm we can see the metadata title
+        self.assert_(body.find('<td><span>My File</span></td>') != -1)
+
+    def test_deny_view(self):
+        """Tests the denial of view permissions to anonymous.
+
+        This test uses the ZMI interface to deny anonymous zope.View permission
+        to the root folder.
+        """
+        # deny zope.View to zope.Anonymous
+        prm = IRolePermissionManager(self.getRootFolder())
+        prm.denyPermissionToRole('zope.View', 'zope.Anonymous')
+        get_transaction().commit()
+
+        # confirm Unauthorized when viewing root folder
+        self.assertRaises(Unauthorized, self.publish, '/')
+
+    def test_deny_dublincore_view(self):
+        """Tests the denial of dublincore view permissions to anonymous.
+
+        Users who can view a folder contents page but cannot view dublin core
+        should still be able to see the folder items' names, but not their
+        title, modified, and created info.
+        """
+        # add an item that can be viewed from the root folder
+        file = File()
+        self.getRootFolder()['file'] = file
+        IZopeDublinCore(file).title = u'My File'
+
+        # deny zope.app.dublincore.view to zope.Anonymous
+        prm = IRolePermissionManager(self.getRootFolder())
+        prm.denyPermissionToRole('zope.app.dublincore.view', 'zope.Anonymous')
+        get_transaction().commit()
+
+        response = self.publish('/')
+        self.assertEquals(response.getStatus(), 200)
+        body = response.getBody()
+
+        # confirm we can see the file name
+        self.assert_(body.find('<a href="file">file</a>') != -1)
+
+        # confirm we *cannot* see the metadata title
+        self.assert_(body.find('My File') == -1)
+
+
+def test_suite():
+    suite = unittest.TestSuite()
+    suite.addTest(unittest.makeSuite(Tests))
+    return suite
+
+if __name__=='__main__':
+    unittest.main(defaultTest='test_suite')

Modified: Zope3/trunk/src/zope/app/pagetemplate/talesapi.py
===================================================================
--- Zope3/trunk/src/zope/app/pagetemplate/talesapi.py	2004-07-23 13:57:45 UTC (rev 26700)
+++ Zope3/trunk/src/zope/app/pagetemplate/talesapi.py	2004-07-23 14:03:07 UTC (rev 26701)
@@ -19,6 +19,7 @@
 from zope.app.size.interfaces import ISized
 from zope.app import zapi
 from zope.interface import implements
+from zope.exceptions import Unauthorized
 from zope.tales.interfaces import ITALESFunctionNamespace
 from interfaces import IZopeTalesAPI
 
@@ -64,7 +65,10 @@
         return zapi.name(self.context)
 
     def title_or_name(self):
-        return getattr(self, 'title', '') or zapi.name(self.context)
+        try:
+            return getattr(self, 'title', '') or zapi.name(self.context)
+        except Unauthorized:
+            return zapi.name(self.context)
 
     def size(self):
         a = ISized(self.context, None)

More information about the Zope3-Checkins mailing list