Skip to content

Z
Zope
Commit 4ac217a2 authored by 's avatar
Browse files
Options

- added more security tests 

- fixed __ac_permissions__ created by the browser:view directive
parent fbc0a65e
Show whitespace changes
Inline Side-by-side
Showing with 96 additions and 1 deletion
src/Products/Five/browser/metaconfigure.py
View file @ 4ac217a2
...@@ -262,6 +262,7 @@ class view(zope.browserpage.metaconfigure.view): ...@@ -262,6 +262,7 @@ class view(zope.browserpage.metaconfigure.view):
) )
if class_ is not None: if class_ is not None:
cdict.update(getSecurityInfo(class_))
bases = (class_, simple) bases = (class_, simple)
else: else:
bases = (simple,) bases = (simple,)
......
src/Products/Five/browser/tests/pages.py
View file @ 4ac217a2
...@@ -14,9 +14,11 @@ ...@@ -14,9 +14,11 @@
"""Test browser pages """Test browser pages
""" """
from AccessControl.class_init import InitializeClass
from AccessControl.SecurityInfo import ClassSecurityInfo
from OFS.SimpleItem import SimpleItem
from Products.Five import BrowserView from Products.Five import BrowserView
from Products.Five.browser.pagetemplatefile import ViewPageTemplateFile from Products.Five.browser.pagetemplatefile import ViewPageTemplateFile
from OFS.SimpleItem import SimpleItem
class SimpleView(BrowserView): class SimpleView(BrowserView):
...@@ -96,3 +98,25 @@ class NewStyleClass(object): ...@@ -96,3 +98,25 @@ class NewStyleClass(object):
def method(self): def method(self):
"""Docstring""" """Docstring"""
return return
class ProtectedView(object):
security = ClassSecurityInfo()
security.declarePublic('public_method')
def public_method(self):
"""Docstring"""
return u'PUBLIC'
security.declareProtected('View', 'protected_method')
def protected_method(self):
"""Docstring"""
return u'PROTECTED'
security.declarePrivate('private_method')
def private_method(self):
"""Docstring"""
return u'PRIVATE'
InitializeClass(ProtectedView)
src/Products/Five/browser/tests/pages.txt
View file @ 4ac217a2
...@@ -319,6 +319,52 @@ Test traversal to resources from within ZPT pages: ...@@ -319,6 +319,52 @@ Test traversal to resources from within ZPT pages:
<html><body><img alt="" <html><body><img alt=""
src="http://nohost/test_folder_1_/testoid/++resource++pattern.png" /></body></html> src="http://nohost/test_folder_1_/testoid/++resource++pattern.png" /></body></html>
Security settings of the base class are combined with new settings based on the
view permission:
>>> from AccessControl import ACCESS_PUBLIC
>>> view = self.folder.unrestrictedTraverse('testoid/protected_class_page')
>>> view.__parent__ == self.folder.testoid
True
>>> view.__ac_permissions__
(('View', ('protected_method',)), ('View management screens', ('', '__call__')))
>>> aq_acquire(view, '__call____roles__')
('Manager',)
>>> aq_acquire(view, 'public_method__roles__') is ACCESS_PUBLIC
True
>>> aq_acquire(view, 'protected_method__roles__')
['Manager', 'test_role_1_', 'Manager', 'Anonymous']
>>> aq_acquire(view, 'private_method__roles__') is ACCESS_PRIVATE
True
>>> view = self.folder.unrestrictedTraverse('testoid/protected_template_class_page')
>>> view.__parent__ == self.folder.testoid
True
>>> view.__ac_permissions__
(('View', ('protected_method',)), ('View management screens', ('', '__call__')))
>>> aq_acquire(view, '__call____roles__')
('Manager',)
>>> aq_acquire(view, 'public_method__roles__') is ACCESS_PUBLIC
True
>>> aq_acquire(view, 'protected_method__roles__')
['Manager', 'test_role_1_', 'Manager', 'Anonymous']
>>> aq_acquire(view, 'private_method__roles__') is ACCESS_PRIVATE
True
>>> view = self.folder.unrestrictedTraverse('testoid/protected_class_view')
>>> view.__parent__ == self.folder.testoid
True
>>> view.__ac_permissions__
(('View', ('protected_method',)), ('View management screens', ('',)))
>>> getattr(view, '__call____roles__', False)
False
>>> aq_acquire(view, 'public_method__roles__') is ACCESS_PUBLIC
True
>>> aq_acquire(view, 'protected_method__roles__')
['Manager', 'test_role_1_', 'Manager', 'Anonymous']
>>> aq_acquire(view, 'private_method__roles__') is ACCESS_PRIVATE
True
Clean up Clean up
-------- --------
......
src/Products/Five/browser/tests/pages.zcml
View file @ 4ac217a2
...@@ -250,4 +250,28 @@ ...@@ -250,4 +250,28 @@
permission="zope2.Public" permission="zope2.Public"
/> />
<!-- views with protected methods -->
<browser:page
for="Products.Five.tests.testing.simplecontent.ISimpleContent"
class=".pages.ProtectedView"
name="protected_class_page"
permission="zope2.ViewManagementScreens"
/>
<browser:page
for="Products.Five.tests.testing.simplecontent.ISimpleContent"
class=".pages.ProtectedView"
template="falcon.pt"
name="protected_template_class_page"
permission="zope2.ViewManagementScreens"
/>
<browser:view
for="Products.Five.tests.testing.simplecontent.ISimpleContent"
class=".pages.ProtectedView"
name="protected_class_view"
permission="zope2.ViewManagementScreens"
/>
</configure> </configure>
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7