LP #578326: Issue a warning if someone specifies a non-public permission...

LP #578326: Issue a warning if someone specifies a non-public permission attribute in the browser:view directive. This attribute has never been supported in Zope 2. This should at least make it obvious where people might have been relying on false security assumptions.

LP #578326: Issue a warning if someone specifies a non-public permission...
LP #578326: Issue a warning if someone specifies a non-public permission attribute in the browser:view directive. This attribute has never been supported in Zope 2. This should at least make it obvious where people might have been relying on false security assumptions.
2564c5f3 · Hanno Schlichting · b2b85073 · 2564c5f3 · 2564c5f3 · 2564c5f3
Commit 2564c5f3 authored Jun 26, 2010 by Hanno Schlichting
Showing with 42 additions and 1 deletion

doc/CHANGES.rst doc/CHANGES.rst +3 -0

src/Products/Five/browser/meta.zcml src/Products/Five/browser/meta.zcml +1 -1

src/Products/Five/browser/metaconfigure.py src/Products/Five/browser/metaconfigure.py +38 -0

No files found.
--- a/doc/CHANGES.rst
+++ b/doc/CHANGES.rst
@@ -11,6 +11,9 @@ http://docs.zope.org/zope2/releases/.
 Bugs Fixed
 ++++++++++

+- LP #578326: Issue a warning if someone specifies a non-public permission
+  attribute in the browser:view directive. This attribute has never been
+  supported in Zope 2.


 2.12.8 (2010-06-25)

--- a/src/Products/Five/browser/meta.zcml
+++ b/src/Products/Five/browser/meta.zcml
@@ -42,7 +42,7 @@

    <meta:complexDirective
        name="view"
-        schema="zope.app.publisher.browser.metadirectives.IViewDirective"
+        schema=".metaconfigure.IFiveViewDirective"
        handler=".metaconfigure.view"
        >


--- a/src/Products/Five/browser/metaconfigure.py
+++ b/src/Products/Five/browser/metaconfigure.py
@@ -20,6 +20,7 @@ $Id$
 """
 import os
 from inspect import ismethod
+import warnings

 from zope import component
 from zope.interface import implements
@@ -31,6 +32,7 @@ from zope.publisher.interfaces import NotFound
 from zope.publisher.interfaces.browser import IDefaultBrowserLayer
 from zope.publisher.interfaces.browser import IBrowserPublisher
 from zope.publisher.interfaces.browser import IBrowserRequest
+from zope.security.zcml import Permission

 import zope.app.publisher.browser.viewmeta
 from zope.app.publisher.browser.viewmeta import providesCallable
@@ -177,8 +179,44 @@ class pages(zope.app.publisher.browser.viewmeta.pages):

 # view (named view with pages)

+from zope.app.publisher.browser.metadirectives import IViewDirective
+
+class IFiveViewDirective(IViewDirective):
+
+    permission = Permission(
+        title=u"Permission",
+        description=u"The permission needed to use the view.",
+        required=False,
+        )
+
+
 class view(zope.app.publisher.browser.viewmeta.view):

+    # Let the permission default to zope.Public and not be required
+    # We should support this, as more users are expecting it to work.
+    def __init__(self, _context, for_, permission=None,
+                 name='', layer=IDefaultBrowserLayer, class_=None,
+                 allowed_interface=None, allowed_attributes=None,
+                 menu=None, title=None, provides=Interface,
+                 ):
+        if permission is None:
+            permission = 'zope.Public'
+        elif permission in ('zope.Public', 'zope2.Public'):
+            # No need to warn about the default case
+            pass
+        else:
+            warnings.warn("The permission option of the <browser:view /> "
+                          "directive is not supported in Zope 2. " + \
+                          "Ignored for %s in %s" %
+                          (str(class_), _context.info), stacklevel=3)
+
+        super(view, self).__init__(
+            _context, for_, permission=permission, name=name, layer=layer,
+            class_=class_, allowed_interface=allowed_interface,
+            allowed_attributes=allowed_attributes, menu=menu, title=title,
+            provides=provides)
+
+
    def __call__(self):
        (_context, name, for_, permission, layer, class_,
         allowed_interface, allowed_attributes) = self.args