Skip to content

Z
Zope
Commit 3168d870 authored by Martin Aspeli's avatar Martin Aspeli
Browse files
Options

Merge r114488 from 2.12 branch

parent 916bcfd9
Hide whitespace changes
Inline Side-by-side
Showing with 69 additions and 11 deletions
src/Products/Five/browser/metaconfigure.py
View file @ 3168d870
......@@ -201,15 +201,7 @@ class view(zope.browserpage.metaconfigure.view):
):
if permission is None:
permission = 'zope.Public'
elif permission in ('zope.Public', 'zope2.Public'):
# No need to warn about the default case
pass
else:
warnings.warn("The permission option of the <browser:view /> "
"directive is not supported in Zope 2. " + \
"Ignored for %s in %s" %
(str(class_), _context.info), stacklevel=3)
super(view, self).__init__(
_context, permission, for_=for_, name=name, layer=layer,
class_=class_, allowed_interface=allowed_interface,
......@@ -314,6 +306,42 @@ class view(zope.browserpage.metaconfigure.view):
newclass, (for_, layer), self.provides, name,
_context.info),
)
# Security
_context.action(
discriminator = ('five:protectClass', newclass),
callable = protectClass,
args = (newclass, permission)
)
if allowed_attributes:
for attr in allowed_attributes:
_context.action(
discriminator = ('five:protectName', newclass, attr),
callable = protectName,
args = (newclass, attr, permission)
)
# Make everything else private
allowed = allowed_attributes or []
private_attrs = [name for name in dir(newclass)
if (not name.startswith('_')) and
(name not in allowed) and
ismethod(getattr(newclass, name))]
for attr in private_attrs:
_context.action(
discriminator = ('five:protectName', newclass, attr),
callable = protectName,
args = (newclass, attr, CheckerPrivateId)
)
# Protect the class
_context.action(
discriminator = ('five:initialize:class', newclass),
callable = InitializeClass,
args = (newclass,)
)
_factory_map = {'image':{'prefix':'ImageResource',
'count':0,
......
src/Products/Five/browser/tests/pages.txt
View file @ 3168d870
......@@ -253,12 +253,34 @@ C methods work the same
>>> aq_parent(aq_inner(context))
<Folder at /test_folder_1_>
The same applies to a view registered with <browser:view /> instead of
<browser:page />
>>> request = TestRequest()
>>> view = getMultiAdapter((self.folder.testoid, request), name=u'permission_view')
>>> view.__ac_permissions__
(('View management screens', ('',)),)
>>> aq_acquire(view, '__roles__')
('Manager',)
>>> context = view.context
>>> from Acquisition import ImplicitAcquisitionWrapper
>>> type(context) == ImplicitAcquisitionWrapper
True
>>> view.__parent__ == view.context
True
>>> aq_parent(view) == view.context
True
>>> context.aq_inner.aq_parent
<Folder at /test_folder_1_>
>>> aq_parent(aq_inner(context))
<Folder at /test_folder_1_>
High-level security
-------------------
>>> protected_view_names = [
... 'eagle.txt', 'falcon.html', 'owl.html', 'flamingo.html',
... 'condor.html']
... 'condor.html', 'permission_view']
>>>
>>> public_view_names = [
... 'public_attribute_page',
......
src/Products/Five/browser/tests/pages.zcml
View file @ 3168d870
......@@ -232,7 +232,15 @@
class=".pages.SimpleView"
permission="zope2.Public"
/>
<!-- A named view with permissions -->
<browser:view
name="permission_view"
for="Products.Five.tests.testing.simplecontent.ISimpleContent"
class=".pages.CallView"
permission="zope2.ViewManagementScreens"
/>
<!-- stuff that we'll override in overrides.zcml -->
<browser:page
for="Products.Five.tests.testing.simplecontent.ISimpleContent"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7