[CMF-checkins] SVN: CMF/trunk/C - made _checkPermission a simple wrapper around checkPermission (Zope 2.8.5 and later respect proxy roles)

Yvo Schubbe y.2006_ at wcm-solutions.de
Sun Jan 8 13:01:04 EST 2006


Log message for revision 41230:
  - made _checkPermission a simple wrapper around checkPermission (Zope 2.8.5 and later respect proxy roles)
  - adjusted the unit test

Changed:
  U   CMF/trunk/CHANGES.txt
  U   CMF/trunk/CMFCore/tests/base/security.py
  U   CMF/trunk/CMFCore/tests/test_utils.py
  U   CMF/trunk/CMFCore/utils.py

-=-
Modified: CMF/trunk/CHANGES.txt
===================================================================
--- CMF/trunk/CHANGES.txt	2006-01-08 17:33:39 UTC (rev 41229)
+++ CMF/trunk/CHANGES.txt	2006-01-08 18:01:03 UTC (rev 41230)
@@ -164,6 +164,9 @@
 
   Others
 
+    - CMFCore utils: Made _checkPermission depend on Zope's checkPermission.
+      There is no longer a need to modify the checkPermission behavior in CMF.
+
     - TypeInformation: Removed support for old setting formats.
       If TypeInformation objects are initialized with keyword arguments,
       'actions' and 'aliases' keys have to use the format introduced in

Modified: CMF/trunk/CMFCore/tests/base/security.py
===================================================================
--- CMF/trunk/CMFCore/tests/base/security.py	2006-01-08 17:33:39 UTC (rev 41229)
+++ CMF/trunk/CMFCore/tests/base/security.py	2006-01-08 18:01:03 UTC (rev 41230)
@@ -67,7 +67,10 @@
     def getRolesInContext(self, object):
         return ('Manager',)
 
+    def _check_context(self, object):
+        return True
 
+
 class UserWithRoles( Implicit ):
     """
       User with roles specified in constructor

Modified: CMF/trunk/CMFCore/tests/test_utils.py
===================================================================
--- CMF/trunk/CMFCore/tests/test_utils.py	2006-01-08 17:33:39 UTC (rev 41229)
+++ CMF/trunk/CMFCore/tests/test_utils.py	2006-01-08 18:01:03 UTC (rev 41230)
@@ -1,50 +1,11 @@
-from unittest import TestSuite, makeSuite, main
+import unittest
 import Testing
-import Zope2
-Zope2.startup()
 
 from Products.CMFCore.tests.base.testcase import SecurityTest
 
-class CoreUtilsTests(SecurityTest):
 
-    def _makeSite(self):
-        from AccessControl.Owned import Owned
-        from Products.CMFCore.tests.base.dummy import DummySite
-        from Products.CMFCore.tests.base.dummy import DummyUserFolder
-        from Products.CMFCore.tests.base.dummy import DummyObject
+class CoreUtilsTests(unittest.TestCase):
 
-        class _DummyObject(Owned, DummyObject):
-            pass
-
-        site = DummySite('site').__of__(self.root)
-        site._setObject( 'acl_users', DummyUserFolder() )
-        site._setObject('content_dummy', _DummyObject(id='content_dummy'))
-        site._setObject('actions_dummy', _DummyObject(id='actions_dummy'))
-
-        return site
-
-    def test__checkPermission(self):
-        from AccessControl import getSecurityManager
-        from AccessControl.Permission import Permission
-        from Products.CMFCore.utils import _checkPermission
-
-        site = self._makeSite()
-        o = site.actions_dummy
-        Permission('View',(),o).setRoles(('Anonymous',))
-        Permission('WebDAV access',(),o).setRoles(('Authenticated',))
-        Permission('Manage users',(),o).setRoles(('Manager',))
-        eo = site.content_dummy
-        eo._owner = (['acl_users'], 'user_foo')
-        getSecurityManager().addContext(eo)
-        self.failUnless( _checkPermission('View', o) )
-        self.failIf( _checkPermission('WebDAV access', o) )
-        self.failIf( _checkPermission('Manage users', o) )
-
-        eo._proxy_roles = ('Authenticated',)
-        self.failIf( _checkPermission('View', o) )
-        self.failUnless( _checkPermission('WebDAV access', o) )
-        self.failIf( _checkPermission('Manage users', o) )
-
     def test_normalize(self):
         from Products.CMFCore.utils import normalize
 
@@ -100,6 +61,57 @@
             self.assertEqual( contributorsplitter({'Contributors': x}), 
                               ['foo', 'bar', 'baz'] )
 
+
+class CoreUtilsSecurityTests(SecurityTest):
+
+    def _makeSite(self):
+        from AccessControl.Owned import Owned
+        from Products.CMFCore.tests.base.dummy import DummySite
+        from Products.CMFCore.tests.base.dummy import DummyUserFolder
+        from Products.CMFCore.tests.base.dummy import DummyObject
+
+        class _DummyObject(Owned, DummyObject):
+            pass
+
+        site = DummySite('site').__of__(self.root)
+        site._setObject( 'acl_users', DummyUserFolder() )
+        site._setObject('foo_dummy', _DummyObject(id='foo_dummy'))
+        site._setObject('bar_dummy', _DummyObject(id='bar_dummy'))
+
+        return site
+
+    def test__checkPermission(self):
+        from AccessControl import getSecurityManager
+        from AccessControl.ImplPython import ZopeSecurityPolicy
+        from AccessControl.Permission import Permission
+        from AccessControl.SecurityManagement import newSecurityManager
+        from AccessControl.SecurityManager import setSecurityPolicy
+        from Products.CMFCore.utils import _checkPermission
+
+        setSecurityPolicy(ZopeSecurityPolicy())
+        site = self._makeSite()
+        newSecurityManager(None, site.acl_users.user_foo)
+        o = site.bar_dummy
+        Permission('View',(),o).setRoles(('Anonymous',))
+        Permission('WebDAV access',(),o).setRoles(('Authenticated',))
+        Permission('Manage users',(),o).setRoles(('Manager',))
+        eo = site.foo_dummy
+        eo._owner = (['acl_users'], 'all_powerful_Oz')
+        getSecurityManager().addContext(eo)
+        self.failUnless( _checkPermission('View', o) )
+        self.failUnless( _checkPermission('WebDAV access', o) )
+        self.failIf( _checkPermission('Manage users', o) )
+
+        eo._proxy_roles = ('Authenticated',)
+        self.failIf( _checkPermission('View', o) )
+        self.failUnless( _checkPermission('WebDAV access', o) )
+        self.failIf( _checkPermission('Manage users', o) )
+
+        eo._proxy_roles = ('Manager',)
+        self.failIf( _checkPermission('View', o) )
+        self.failIf( _checkPermission('WebDAV access', o) )
+        self.failUnless( _checkPermission('Manage users', o) )
+
     def test_mergedLocalRolesManipulation(self):
         # The _mergedLocalRoles function used to return references to
         # actual local role settings and it was possible to manipulate them
@@ -118,9 +130,10 @@
 
 
 def test_suite():
-    return TestSuite((
-        makeSuite(CoreUtilsTests),
+    return unittest.TestSuite((
+        unittest.makeSuite(CoreUtilsTests),
+        unittest.makeSuite(CoreUtilsSecurityTests),
         ))
 
 if __name__ == '__main__':
-    main(defaultTest='test_suite')
+    unittest.main(defaultTest='test_suite')

Modified: CMF/trunk/CMFCore/utils.py
===================================================================
--- CMF/trunk/CMFCore/utils.py	2006-01-08 17:33:39 UTC (rev 41229)
+++ CMF/trunk/CMFCore/utils.py	2006-01-08 18:01:03 UTC (rev 41230)
@@ -26,7 +26,6 @@
 from AccessControl.Permission import Permission
 from AccessControl.PermissionRole import rolesForPermissionOn
 from AccessControl.Role import gather_permissions
-from Acquisition import aq_base
 from Acquisition import aq_get
 from Acquisition import aq_inner
 from Acquisition import aq_parent
@@ -118,40 +117,13 @@
 #   Security utilities, callable only from unrestricted code.
 #
 security.declarePrivate('_getAuthenticatedUser')
-def _getAuthenticatedUser( self ):
+def _getAuthenticatedUser(self):
     return getSecurityManager().getUser()
 
 security.declarePrivate('_checkPermission')
 def _checkPermission(permission, obj):
-    """ Check if the current user has the permission on the given object.
-    """
-    # this code is ported from ZopeSecurityPolicy.checkPermission
-    roles = rolesForPermissionOn(permission, obj)
-    if isinstance(roles, basestring):
-        roles = [roles]
-    context = getSecurityManager()._context
+    return getSecurityManager().checkPermission(permission, obj)
 
-    # check executable owner and proxy roles
-    # this code is ported from ZopeSecurityPolicy.validate
-    stack = context.stack
-    if stack:
-        eo = stack[-1]
-        owner = eo.getOwner()
-        if owner is not None:
-            if not owner.allowed(obj, roles):
-                return 0
-            proxy_roles = getattr(eo, '_proxy_roles', None)
-            if proxy_roles:
-                if obj is not aq_base(obj):
-                    if not owner._check_context(obj):
-                        return 0
-                for r in proxy_roles:
-                    if r in roles:
-                         return 1
-                return 0
-
-    return context.user.allowed(obj, roles)
-
 # If Zope ever provides a call to getRolesInContext() through
 # the SecurityManager API, the method below needs to be updated.
 security.declarePrivate('_limitGrantedRoles')



More information about the CMF-checkins mailing list