Move the DTML policy assignment and deal with import order changes

src/AccessControl/DTML.py

@@ -15,3 +15,4 @@
 
 # BBB
 from DocumentTemplate.security import DTMLSecurityAPI
+from DocumentTemplate.security import RestrictedDTML

src/AccessControl/ImplC.py

@@ -31,15 +31,11 @@ except ImportError:
     # make sure a partial import doesn't pollute sys.modules
     del sys.modules[__name__]
     raise
-    
-from AccessControl.ImplPython import RestrictedDTML
+
 from AccessControl.ImplPython import SecurityManager
 from AccessControl.ImplPython import ZopeSecurityPolicy
 
 
-class RestrictedDTML(RestrictedDTMLMixin, RestrictedDTML):
-    """A mix-in for derivatives of DT_String.String that adds Zope security."""
-
 class ZopeSecurityPolicy(cZopeSecurityPolicy, ZopeSecurityPolicy):
     """A security manager provides methods for checking access and managing
     executable context and policies

src/AccessControl/ImplPython.py

@@ -180,19 +180,6 @@ class imPermissionRole(Base):
         return len(v)
 
 
-# AccessControl.DTML
-# ------------------
-
-class RestrictedDTML:
-    """A mix-in for derivatives of DT_String.String that adds Zope security."""
-
-    def guarded_getattr(self, *args): # ob, name [, default]
-        return guarded_getattr(*args)
-
-    def guarded_getitem(self, ob, index):
-        return guarded_getitem(ob, index)
-
-
 # AccessControl.ZopeSecurityPolicy
 # --------------------------------
 #

src/AccessControl/Implementation.py

@@ -75,8 +75,6 @@ _implementation_set = 0
 _policy_names = {
     "AccessControl": ("setDefaultBehaviors",
                       ),
-    "AccessControl.DTML": ("RestrictedDTML",
-                           ),
     "AccessControl.PermissionRole": ("_what_not_even_god_should_do",
                                      "rolesForPermissionOn",
                                      "PermissionRole",

src/DocumentTemplate/DT_Util.py

@@ -33,6 +33,10 @@ from RestrictedPython.Eval import RestrictionCapableEval
 
 from Shared.TaintedString import TaintedString
 
+if 'test' not in utility_builtins:
+    from RestrictedPython.Utilities import test
+    utility_builtins['test'] = test
+
 test = utility_builtins['test'] # for backwards compatibility, dont remove!
 
 LIMITED_BUILTINS = 1
@@ -109,6 +113,7 @@ class StringFunctionWrapper:
         return retval
 
 TemplateDict.string = StringModuleWrapper()
+TemplateDict.__allow_access_to_unprotected_subobjects__ = 1
 
 # The functions below are meant to bind to the TemplateDict.
 

src/DocumentTemplate/__init__.py

@@ -10,13 +10,10 @@
 # FOR A PARTICULAR PURPOSE
 #
 ##############################################################################
-__doc__='''Package wrapper for Document Template
+"""Package wrapper for Document Template
 
 This wrapper allows the (now many) document template modules to be
-segregated in a separate package.
-
-$Id$'''
-__version__='$Revision: 1.18 $'[11:-2]
+segregated in a separate package."""
 
 from DocumentTemplate.DT_String import String, File
 from DocumentTemplate.DT_HTML import HTML, HTMLDefault, HTMLFile

src/DocumentTemplate/security.py

@@ -15,28 +15,43 @@
 
 import string, math, random, sets
 
-from AccessControl import SecurityManagement
-from AccessControl.SimpleObjectPolicies import ContainerAssertions
-from AccessControl.ZopeGuards import safe_builtins
-
-import DocumentTemplate.sequence
-from DocumentTemplate import DT_Util
-
-# RestrictedDTML is inserted by AccessControl.Implementation.
-
-
 # Allow access to unprotected attributes
-DT_Util.TemplateDict.__allow_access_to_unprotected_subobjects__=1
 string.__allow_access_to_unprotected_subobjects__=1
 math.__allow_access_to_unprotected_subobjects__=1
 random.__allow_access_to_unprotected_subobjects__=1
 sets.__allow_access_to_unprotected_subobjects__=1
 
+# Setup RestrictedDTML
 
-DocumentTemplate.sequence.__allow_access_to_unprotected_subobjects__=1
+from AccessControl.ImplPython import guarded_getattr
+from AccessControl.ZopeGuards import guarded_getitem
+
+RestrictedDTML = None
+
+class BaseRestrictedDTML:
+    """A mix-in for derivatives of DT_String.String that adds Zope security."""
+
+    def guarded_getattr(self, *args): # ob, name [, default]
+        return guarded_getattr(*args)
+
+    def guarded_getitem(self, ob, index):
+        return guarded_getitem(ob, index)
+
+
+# This does not respect the security policy as set by AccessControl. Instead
+# it only deals with the C module being compiled or not.
+try:
+    from AccessControl.cAccessControl import RestrictedDTMLMixin
+except ImportError:
+    RestrictedDTML = BaseRestrictedDTML
+else:
+    class RestrictedDTML(RestrictedDTMLMixin, BaseRestrictedDTML):
+        """C version of RestrictedDTML."""
 
 # Add security testing capabilities
 
+from AccessControl import SecurityManagement
+
 class DTMLSecurityAPI:
     """API for performing security checks in DTML using '_' methods.
     """
@@ -96,11 +111,16 @@ class DTMLSecurityAPI:
         if r > 0: return r-1
         return r
 
+
+from DocumentTemplate import DT_Util
+
 for name, v in DTMLSecurityAPI.__dict__.items():
     if name[0] != '_':
         setattr(DT_Util.TemplateDict, name, v)
 
 from types import FunctionType
+from AccessControl.ZopeGuards import safe_builtins
+
 for name, v in safe_builtins.items():
     if type(v) is FunctionType:
         v = DT_Util.NotBindable(v)
@@ -109,11 +129,14 @@ for name, v in safe_builtins.items():
     setattr(DT_Util.TemplateDict, name, v)
 
 
+# Temporarily create a DictInstance so that we can mark its type as
+# being a key in the ContainerAssertions.
+
+from AccessControl.SimpleObjectPolicies import ContainerAssertions
+
 class _dummy_class:
     pass
 
-# Temporarily create a DictInstance so that we can mark its type as
-# being a key in the ContainerAssertions.
 templateDict = DT_Util.TemplateDict()
 try:
     dictInstance = templateDict(dummy=1)[0]

src/DocumentTemplate/sequence/__init__.py

@@ -11,5 +11,6 @@
 #
 ##############################################################################
 
+__allow_access_to_unprotected_subobjects__ = 1
 
 from zope.sequencesort.ssort import *