Commit b47ef4d6 authored by Hanno Schlichting's avatar Hanno Schlichting

Move the DTML policy assignment and deal with import order changes

parent 88383a91
......@@ -15,3 +15,4 @@
# BBB
from DocumentTemplate.security import DTMLSecurityAPI
from DocumentTemplate.security import RestrictedDTML
......@@ -32,14 +32,10 @@ except ImportError:
del sys.modules[__name__]
raise
from AccessControl.ImplPython import RestrictedDTML
from AccessControl.ImplPython import SecurityManager
from AccessControl.ImplPython import ZopeSecurityPolicy
class RestrictedDTML(RestrictedDTMLMixin, RestrictedDTML):
"""A mix-in for derivatives of DT_String.String that adds Zope security."""
class ZopeSecurityPolicy(cZopeSecurityPolicy, ZopeSecurityPolicy):
"""A security manager provides methods for checking access and managing
executable context and policies
......
......@@ -180,19 +180,6 @@ class imPermissionRole(Base):
return len(v)
# AccessControl.DTML
# ------------------
class RestrictedDTML:
"""A mix-in for derivatives of DT_String.String that adds Zope security."""
def guarded_getattr(self, *args): # ob, name [, default]
return guarded_getattr(*args)
def guarded_getitem(self, ob, index):
return guarded_getitem(ob, index)
# AccessControl.ZopeSecurityPolicy
# --------------------------------
#
......
......@@ -75,8 +75,6 @@ _implementation_set = 0
_policy_names = {
"AccessControl": ("setDefaultBehaviors",
),
"AccessControl.DTML": ("RestrictedDTML",
),
"AccessControl.PermissionRole": ("_what_not_even_god_should_do",
"rolesForPermissionOn",
"PermissionRole",
......
......@@ -33,6 +33,10 @@ from RestrictedPython.Eval import RestrictionCapableEval
from Shared.TaintedString import TaintedString
if 'test' not in utility_builtins:
from RestrictedPython.Utilities import test
utility_builtins['test'] = test
test = utility_builtins['test'] # for backwards compatibility, dont remove!
LIMITED_BUILTINS = 1
......@@ -109,6 +113,7 @@ class StringFunctionWrapper:
return retval
TemplateDict.string = StringModuleWrapper()
TemplateDict.__allow_access_to_unprotected_subobjects__ = 1
# The functions below are meant to bind to the TemplateDict.
......
......@@ -10,13 +10,10 @@
# FOR A PARTICULAR PURPOSE
#
##############################################################################
__doc__='''Package wrapper for Document Template
"""Package wrapper for Document Template
This wrapper allows the (now many) document template modules to be
segregated in a separate package.
$Id$'''
__version__='$Revision: 1.18 $'[11:-2]
segregated in a separate package."""
from DocumentTemplate.DT_String import String, File
from DocumentTemplate.DT_HTML import HTML, HTMLDefault, HTMLFile
......
......@@ -15,28 +15,43 @@
import string, math, random, sets
from AccessControl import SecurityManagement
from AccessControl.SimpleObjectPolicies import ContainerAssertions
from AccessControl.ZopeGuards import safe_builtins
import DocumentTemplate.sequence
from DocumentTemplate import DT_Util
# RestrictedDTML is inserted by AccessControl.Implementation.
# Allow access to unprotected attributes
DT_Util.TemplateDict.__allow_access_to_unprotected_subobjects__=1
string.__allow_access_to_unprotected_subobjects__=1
math.__allow_access_to_unprotected_subobjects__=1
random.__allow_access_to_unprotected_subobjects__=1
sets.__allow_access_to_unprotected_subobjects__=1
# Setup RestrictedDTML
DocumentTemplate.sequence.__allow_access_to_unprotected_subobjects__=1
from AccessControl.ImplPython import guarded_getattr
from AccessControl.ZopeGuards import guarded_getitem
RestrictedDTML = None
class BaseRestrictedDTML:
"""A mix-in for derivatives of DT_String.String that adds Zope security."""
def guarded_getattr(self, *args): # ob, name [, default]
return guarded_getattr(*args)
def guarded_getitem(self, ob, index):
return guarded_getitem(ob, index)
# This does not respect the security policy as set by AccessControl. Instead
# it only deals with the C module being compiled or not.
try:
from AccessControl.cAccessControl import RestrictedDTMLMixin
except ImportError:
RestrictedDTML = BaseRestrictedDTML
else:
class RestrictedDTML(RestrictedDTMLMixin, BaseRestrictedDTML):
"""C version of RestrictedDTML."""
# Add security testing capabilities
from AccessControl import SecurityManagement
class DTMLSecurityAPI:
"""API for performing security checks in DTML using '_' methods.
"""
......@@ -96,11 +111,16 @@ class DTMLSecurityAPI:
if r > 0: return r-1
return r
from DocumentTemplate import DT_Util
for name, v in DTMLSecurityAPI.__dict__.items():
if name[0] != '_':
setattr(DT_Util.TemplateDict, name, v)
from types import FunctionType
from AccessControl.ZopeGuards import safe_builtins
for name, v in safe_builtins.items():
if type(v) is FunctionType:
v = DT_Util.NotBindable(v)
......@@ -109,11 +129,14 @@ for name, v in safe_builtins.items():
setattr(DT_Util.TemplateDict, name, v)
# Temporarily create a DictInstance so that we can mark its type as
# being a key in the ContainerAssertions.
from AccessControl.SimpleObjectPolicies import ContainerAssertions
class _dummy_class:
pass
# Temporarily create a DictInstance so that we can mark its type as
# being a key in the ContainerAssertions.
templateDict = DT_Util.TemplateDict()
try:
dictInstance = templateDict(dummy=1)[0]
......
......@@ -11,5 +11,6 @@
#
##############################################################################
__allow_access_to_unprotected_subobjects__ = 1
from zope.sequencesort.ssort import *
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment