[Zope-Checkins] CVS: Zope3/lib/python/Zope/App/ZMI - ZMIViewService.py:1.1.2.4 ZMIViewUtility.py:1.1.2.5

Jim Fulton jim@zope.com
Tue, 12 Feb 2002 20:08:06 -0500 

Update of /cvs-repository/Zope3/lib/python/Zope/App/ZMI
In directory cvs.zope.org:/tmp/cvs-serv19608

Modified Files:
      Tag: Zope-3x-branch
	ZMIViewService.py ZMIViewUtility.py 
Log Message:
Changed the approach for permission-filtering views to use
ZopePublication.PublicationTraverser. This is because we have to check
the same sort of traversal the publisher uses. We also need a request
so we can handle views. This means the logic had to move out to the
view utility (which is a view ;).

This is a lot of work.  

Maybe we can get the view permission at configuration time. This would
avoid traversal while filtering. This needs more thought.



=== Zope3/lib/python/Zope/App/ZMI/ZMIViewService.py 1.1.2.3 => 1.1.2.4 ===
                     continue
                 
-                ## security check
-                try: adaptor.restrictedTraverse(v.action)
-                except:
-                    continue
+                ## XXX security check
+                ## XXX This is now much tricker, since we will need
+                #      to traverse views 
+                #try: adaptor.restrictedTraverse(v.action)
+                #except:
+                #    continue
 
                 ## check filter, short circuit if default
                 if not v.filter_string == 'python: 1':


=== Zope3/lib/python/Zope/App/ZMI/ZMIViewUtility.py 1.1.2.4 => 1.1.2.5 ===
 from Zope.Publisher.Browser.IBrowserPublisher import IBrowserPublisher
 from Zope.ComponentArchitecture import getService
+from Zope.App.ZopePublication.PublicationTraverse \
+     import PublicationTraverser
+from Zope.Exceptions import Unauthorized
 
 class ZMIViewUtility(ContextDependent):
 
     __implements__ = IBrowserPublisher
 
+    def setViewRequest(self, request):
+        self.__request = request
+
     def getZMIViews(self):
 
         context = self.getContext()
         zmi_view_service = getService(context, 'ZMIViewService')
         zmi_views=[]
+        traverser = PublicationTraverser()
         for view in zmi_view_service.getViews(context):
             label=view[0]
             action=view[1]
-            # munge action URL to make sure that it's using the ZMI skin
-            parts=action.split('/')
-            parts[0]='%s;skin=zmi' % parts[0]
-            action='/'.join(parts)
-            zmi_views.append({'label':label, 'action':action})
+            try:
+                traverser.traversePath(self.__request, context, action)
+            except Unauthorized:
+                pass # Skip unauthorized
+            else:
+                zmi_views.append({'label': label, 'action': "../%s" % action})
+
         return zmi_views