Commit 644f8279 authored by Martin Aspeli's avatar Martin Aspeli

Add support for the 'permission' attribute to browser:view

parent 46d57afe
......@@ -201,15 +201,7 @@ class view(zope.app.publisher.browser.viewmeta.view):
):
if permission is None:
permission = 'zope.Public'
elif permission in ('zope.Public', 'zope2.Public'):
# No need to warn about the default case
pass
else:
warnings.warn("The permission option of the <browser:view /> "
"directive is not supported in Zope 2. " + \
"Ignored for %s in %s" %
(str(class_), _context.info), stacklevel=3)
super(view, self).__init__(
_context, for_, permission, name=name, layer=layer,
class_=class_, allowed_interface=allowed_interface,
......@@ -314,6 +306,42 @@ class view(zope.app.publisher.browser.viewmeta.view):
newclass, (for_, layer), self.provides, name,
_context.info),
)
# Security
_context.action(
discriminator = ('five:protectClass', newclass),
callable = protectClass,
args = (newclass, permission)
)
if allowed_attributes:
for attr in allowed_attributes:
_context.action(
discriminator = ('five:protectName', newclass, attr),
callable = protectName,
args = (newclass, attr, permission)
)
# Make everything else private
allowed = allowed_attributes or []
private_attrs = [name for name in dir(newclass)
if (not name.startswith('_')) and
(name not in allowed) and
ismethod(getattr(newclass, name))]
for attr in private_attrs:
_context.action(
discriminator = ('five:protectName', newclass, attr),
callable = protectName,
args = (newclass, attr, CheckerPrivateId)
)
# Protect the class
_context.action(
discriminator = ('five:initialize:class', newclass),
callable = InitializeClass,
args = (newclass,)
)
_factory_map = {'image':{'prefix':'ImageResource',
'count':0,
......
......@@ -253,12 +253,34 @@ C methods work the same
>>> aq_parent(aq_inner(context))
<Folder at /test_folder_1_>
The same applies to a view registered with <browser:view /> instead of
<browser:page />
>>> request = TestRequest()
>>> view = getMultiAdapter((self.folder.testoid, request), name=u'permission_view')
>>> view.__ac_permissions__
(('View management screens', ('',)),)
>>> aq_acquire(view, '__roles__')
('Manager',)
>>> context = view.context
>>> from Acquisition import ImplicitAcquisitionWrapper
>>> type(context) == ImplicitAcquisitionWrapper
True
>>> view.__parent__ == view.context
True
>>> aq_parent(view) == view.context
True
>>> context.aq_inner.aq_parent
<Folder at /test_folder_1_>
>>> aq_parent(aq_inner(context))
<Folder at /test_folder_1_>
High-level security
-------------------
>>> protected_view_names = [
... 'eagle.txt', 'falcon.html', 'owl.html', 'flamingo.html',
... 'condor.html']
... 'condor.html', 'permission_view']
>>>
>>> public_view_names = [
... 'public_attribute_page',
......
......@@ -232,7 +232,15 @@
class=".pages.SimpleView"
permission="zope2.Public"
/>
<!-- A named view with permissions -->
<browser:view
name="permission_view"
for="Products.Five.tests.testing.simplecontent.ISimpleContent"
class=".pages.CallView"
permission="zope2.ViewManagementScreens"
/>
<!-- stuff that we'll override in overrides.zcml -->
<browser:page
for="Products.Five.tests.testing.simplecontent.ISimpleContent"
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment