[Zope-Checkins] CVS: Zope/lib/python/Zope/App - startup.py:1.1.6.2
Jim Fulton
jim@zope.com
Tue, 10 Jun 2003 13:36:23 -0400
Update of /cvs-repository/Zope/lib/python/Zope/App
In directory cvs.zope.org:/tmp/cvs-serv16278
Modified Files:
Tag: Zope-2_6-branch
startup.py
Log Message:
Changed the zpublisher_validated_hook to check whether the request
contains a version name. If it does, then we check whether the user
globally has permission to join/leave versions. If they don't, we
clear cookie and raise Unauthorized. This will abort any changes that
might have been made during traversal. (If some traversal code makes
changes and commits them, then we still lose and probably deserve to.)
=== Zope/lib/python/Zope/App/startup.py 1.1.6.1 => 1.1.6.2 ===
--- Zope/lib/python/Zope/App/startup.py:1.1.6.1 Tue Oct 22 10:15:30 2002
+++ Zope/lib/python/Zope/App/startup.py Tue Jun 10 13:36:23 2003
@@ -13,24 +13,26 @@
"""Initialize the Zope Package and provide a published module
"""
-import sys
-import os
-import imp
-from types import StringType, ListType
-
-import Zope
+from AccessControl.SecurityManagement import newSecurityManager
+from AccessControl.SecurityManagement import noSecurityManager
+from AccessControl.SecurityManagement import getSecurityManager
from Acquisition import aq_acquire
-import App.FindHomes
-import ZODB
-import ZODB.ZApplication
+from types import StringType, ListType
+from zExceptions import Unauthorized
+from zLOG import LOG, WARNING, INFO, BLATHER, log_time
from ZODB.POSException import ConflictError
+import AccessControl.User
+import App.FindHomes
+import ExtensionClass
import Globals
+import imp
import OFS.Application
-import AccessControl.SecurityManagement
-import AccessControl.User
+import os
+import sys
+import ZODB
+import ZODB.ZApplication
+import Zope
import ZPublisher
-import ExtensionClass
-from zLOG import LOG, WARNING, INFO, BLATHER, log_time
def startup():
@@ -76,8 +78,7 @@
DB.setClassFactory(ClassFactory.ClassFactory)
# "Log on" as system user
- AccessControl.SecurityManagement.newSecurityManager(
- None, AccessControl.User.system)
+ newSecurityManager(None, AccessControl.User.system)
# Set up the "app" object that automagically opens
# connections
@@ -96,7 +97,7 @@
application._p_jar.close()
# "Log off" as system user
- AccessControl.SecurityManagement.noSecurityManager()
+ noSecurityManager()
# This is really ugly. Please remember to remove Main.py before
# Zope 2.7 and fix whatever breaks, if anything.
@@ -107,9 +108,23 @@
Zope.zpublisher_transactions_manager = TransactionsManager()
Zope.zpublisher_exception_hook = zpublisher_exception_hook
- Zope.zpublisher_validated_hook = (
- AccessControl.SecurityManagement.newSecurityManager)
- Zope.__bobo_before__ = AccessControl.SecurityManagement.noSecurityManager
+ Zope.zpublisher_validated_hook = validated_hook
+ Zope.__bobo_before__ = noSecurityManager
+
+
+def validated_hook(request, user):
+ newSecurityManager(request, user)
+ if request.get(Globals.VersionNameName, ''):
+ object = user.aq_parent
+ if not getSecurityManager().checkPermission(
+ 'Join/leave Versions', object):
+ request['RESPONSE'].setCookie(
+ Globals.VersionNameName,'No longer active',
+ expires="Mon, 25-Jan-1999 23:59:59 GMT",
+ path=(request['BASEPATH1'] or '/'),
+ )
+ raise Unauthorized, "You don't have permission to enter versions."
+
class RequestContainer(ExtensionClass.Base):