[CMF-checkins] SVN: CMF/trunk/C - made _checkPermission a simple
wrapper around checkPermission (Zope 2.8.5 and later respect
proxy roles)
Yvo Schubbe
y.2006_ at wcm-solutions.de
Sun Jan 8 13:01:04 EST 2006
Log message for revision 41230:
- made _checkPermission a simple wrapper around checkPermission (Zope 2.8.5 and later respect proxy roles)
- adjusted the unit test
Changed:
U CMF/trunk/CHANGES.txt
U CMF/trunk/CMFCore/tests/base/security.py
U CMF/trunk/CMFCore/tests/test_utils.py
U CMF/trunk/CMFCore/utils.py
-=-
Modified: CMF/trunk/CHANGES.txt
===================================================================
--- CMF/trunk/CHANGES.txt 2006-01-08 17:33:39 UTC (rev 41229)
+++ CMF/trunk/CHANGES.txt 2006-01-08 18:01:03 UTC (rev 41230)
@@ -164,6 +164,9 @@
Others
+ - CMFCore utils: Made _checkPermission depend on Zope's checkPermission.
+ There is no longer a need to modify the checkPermission behavior in CMF.
+
- TypeInformation: Removed support for old setting formats.
If TypeInformation objects are initialized with keyword arguments,
'actions' and 'aliases' keys have to use the format introduced in
Modified: CMF/trunk/CMFCore/tests/base/security.py
===================================================================
--- CMF/trunk/CMFCore/tests/base/security.py 2006-01-08 17:33:39 UTC (rev 41229)
+++ CMF/trunk/CMFCore/tests/base/security.py 2006-01-08 18:01:03 UTC (rev 41230)
@@ -67,7 +67,10 @@
def getRolesInContext(self, object):
return ('Manager',)
+ def _check_context(self, object):
+ return True
+
class UserWithRoles( Implicit ):
"""
User with roles specified in constructor
Modified: CMF/trunk/CMFCore/tests/test_utils.py
===================================================================
--- CMF/trunk/CMFCore/tests/test_utils.py 2006-01-08 17:33:39 UTC (rev 41229)
+++ CMF/trunk/CMFCore/tests/test_utils.py 2006-01-08 18:01:03 UTC (rev 41230)
@@ -1,50 +1,11 @@
-from unittest import TestSuite, makeSuite, main
+import unittest
import Testing
-import Zope2
-Zope2.startup()
from Products.CMFCore.tests.base.testcase import SecurityTest
-class CoreUtilsTests(SecurityTest):
- def _makeSite(self):
- from AccessControl.Owned import Owned
- from Products.CMFCore.tests.base.dummy import DummySite
- from Products.CMFCore.tests.base.dummy import DummyUserFolder
- from Products.CMFCore.tests.base.dummy import DummyObject
+class CoreUtilsTests(unittest.TestCase):
- class _DummyObject(Owned, DummyObject):
- pass
-
- site = DummySite('site').__of__(self.root)
- site._setObject( 'acl_users', DummyUserFolder() )
- site._setObject('content_dummy', _DummyObject(id='content_dummy'))
- site._setObject('actions_dummy', _DummyObject(id='actions_dummy'))
-
- return site
-
- def test__checkPermission(self):
- from AccessControl import getSecurityManager
- from AccessControl.Permission import Permission
- from Products.CMFCore.utils import _checkPermission
-
- site = self._makeSite()
- o = site.actions_dummy
- Permission('View',(),o).setRoles(('Anonymous',))
- Permission('WebDAV access',(),o).setRoles(('Authenticated',))
- Permission('Manage users',(),o).setRoles(('Manager',))
- eo = site.content_dummy
- eo._owner = (['acl_users'], 'user_foo')
- getSecurityManager().addContext(eo)
- self.failUnless( _checkPermission('View', o) )
- self.failIf( _checkPermission('WebDAV access', o) )
- self.failIf( _checkPermission('Manage users', o) )
-
- eo._proxy_roles = ('Authenticated',)
- self.failIf( _checkPermission('View', o) )
- self.failUnless( _checkPermission('WebDAV access', o) )
- self.failIf( _checkPermission('Manage users', o) )
-
def test_normalize(self):
from Products.CMFCore.utils import normalize
@@ -100,6 +61,57 @@
self.assertEqual( contributorsplitter({'Contributors': x}),
['foo', 'bar', 'baz'] )
+
+class CoreUtilsSecurityTests(SecurityTest):
+
+ def _makeSite(self):
+ from AccessControl.Owned import Owned
+ from Products.CMFCore.tests.base.dummy import DummySite
+ from Products.CMFCore.tests.base.dummy import DummyUserFolder
+ from Products.CMFCore.tests.base.dummy import DummyObject
+
+ class _DummyObject(Owned, DummyObject):
+ pass
+
+ site = DummySite('site').__of__(self.root)
+ site._setObject( 'acl_users', DummyUserFolder() )
+ site._setObject('foo_dummy', _DummyObject(id='foo_dummy'))
+ site._setObject('bar_dummy', _DummyObject(id='bar_dummy'))
+
+ return site
+
+ def test__checkPermission(self):
+ from AccessControl import getSecurityManager
+ from AccessControl.ImplPython import ZopeSecurityPolicy
+ from AccessControl.Permission import Permission
+ from AccessControl.SecurityManagement import newSecurityManager
+ from AccessControl.SecurityManager import setSecurityPolicy
+ from Products.CMFCore.utils import _checkPermission
+
+ setSecurityPolicy(ZopeSecurityPolicy())
+ site = self._makeSite()
+ newSecurityManager(None, site.acl_users.user_foo)
+ o = site.bar_dummy
+ Permission('View',(),o).setRoles(('Anonymous',))
+ Permission('WebDAV access',(),o).setRoles(('Authenticated',))
+ Permission('Manage users',(),o).setRoles(('Manager',))
+ eo = site.foo_dummy
+ eo._owner = (['acl_users'], 'all_powerful_Oz')
+ getSecurityManager().addContext(eo)
+ self.failUnless( _checkPermission('View', o) )
+ self.failUnless( _checkPermission('WebDAV access', o) )
+ self.failIf( _checkPermission('Manage users', o) )
+
+ eo._proxy_roles = ('Authenticated',)
+ self.failIf( _checkPermission('View', o) )
+ self.failUnless( _checkPermission('WebDAV access', o) )
+ self.failIf( _checkPermission('Manage users', o) )
+
+ eo._proxy_roles = ('Manager',)
+ self.failIf( _checkPermission('View', o) )
+ self.failIf( _checkPermission('WebDAV access', o) )
+ self.failUnless( _checkPermission('Manage users', o) )
+
def test_mergedLocalRolesManipulation(self):
# The _mergedLocalRoles function used to return references to
# actual local role settings and it was possible to manipulate them
@@ -118,9 +130,10 @@
def test_suite():
- return TestSuite((
- makeSuite(CoreUtilsTests),
+ return unittest.TestSuite((
+ unittest.makeSuite(CoreUtilsTests),
+ unittest.makeSuite(CoreUtilsSecurityTests),
))
if __name__ == '__main__':
- main(defaultTest='test_suite')
+ unittest.main(defaultTest='test_suite')
Modified: CMF/trunk/CMFCore/utils.py
===================================================================
--- CMF/trunk/CMFCore/utils.py 2006-01-08 17:33:39 UTC (rev 41229)
+++ CMF/trunk/CMFCore/utils.py 2006-01-08 18:01:03 UTC (rev 41230)
@@ -26,7 +26,6 @@
from AccessControl.Permission import Permission
from AccessControl.PermissionRole import rolesForPermissionOn
from AccessControl.Role import gather_permissions
-from Acquisition import aq_base
from Acquisition import aq_get
from Acquisition import aq_inner
from Acquisition import aq_parent
@@ -118,40 +117,13 @@
# Security utilities, callable only from unrestricted code.
#
security.declarePrivate('_getAuthenticatedUser')
-def _getAuthenticatedUser( self ):
+def _getAuthenticatedUser(self):
return getSecurityManager().getUser()
security.declarePrivate('_checkPermission')
def _checkPermission(permission, obj):
- """ Check if the current user has the permission on the given object.
- """
- # this code is ported from ZopeSecurityPolicy.checkPermission
- roles = rolesForPermissionOn(permission, obj)
- if isinstance(roles, basestring):
- roles = [roles]
- context = getSecurityManager()._context
+ return getSecurityManager().checkPermission(permission, obj)
- # check executable owner and proxy roles
- # this code is ported from ZopeSecurityPolicy.validate
- stack = context.stack
- if stack:
- eo = stack[-1]
- owner = eo.getOwner()
- if owner is not None:
- if not owner.allowed(obj, roles):
- return 0
- proxy_roles = getattr(eo, '_proxy_roles', None)
- if proxy_roles:
- if obj is not aq_base(obj):
- if not owner._check_context(obj):
- return 0
- for r in proxy_roles:
- if r in roles:
- return 1
- return 0
-
- return context.user.allowed(obj, roles)
-
# If Zope ever provides a call to getRolesInContext() through
# the SecurityManager API, the method below needs to be updated.
security.declarePrivate('_limitGrantedRoles')
More information about the CMF-checkins
mailing list