[Zope-Checkins] CVS: Zope/lib/python/Zope/App - startup.py:1.7

Jim Fulton jim@zope.com
Wed, 11 Jun 2003 15:31:31 -0400 

Update of /cvs-repository/Zope/lib/python/Zope/App
In directory cvs.zope.org:/tmp/cvs-serv7967/lib/python/Zope/App

Modified Files:
	startup.py 
Log Message:
Changed the zpublisher_validated_hook to check whether the request
contains a version name. If it does, then we check whether the user
globally has permission to join/leave versions. If they don't, we
clear cookie and raise Unauthorized. This will abort any changes that
might have been made during traversal. (If some traversal code makes
changes and commits them, then we still lose and probably deserve to.)



=== Zope/lib/python/Zope/App/startup.py 1.6 => 1.7 ===
--- Zope/lib/python/Zope/App/startup.py:1.6	Tue Apr  8 13:56:11 2003
+++ Zope/lib/python/Zope/App/startup.py	Wed Jun 11 15:31:31 2003
@@ -13,24 +13,27 @@
 """Initialize the Zope Package and provide a published module
 """
 
-import sys
-import os
-import imp
-from types import StringType, ListType
-
-import Zope
+from AccessControl.SecurityManagement import getSecurityManager
+from AccessControl.SecurityManagement import newSecurityManager
+from AccessControl.SecurityManagement import noSecurityManager
 from Acquisition import aq_acquire
 from App.config import getConfiguration
-import ZODB
-import ZODB.ZApplication
+from types import StringType, ListType
+from zExceptions import Unauthorized
+from zLOG import LOG, WARNING, INFO, BLATHER, log_time
 from ZODB.POSException import ConflictError
+import AccessControl.User
+import App.FindHomes
+import ExtensionClass
 import Globals
+import imp
 import OFS.Application
-import AccessControl.SecurityManagement
-import AccessControl.User
+import os
+import sys
+import ZODB
+import ZODB.ZApplication
+import Zope
 import ZPublisher
-import ExtensionClass
-from zLOG import LOG, WARNING, INFO, BLATHER, log_time
 
 
 def startup():
@@ -79,8 +82,7 @@
     DB.setClassFactory(ClassFactory.ClassFactory)
 
     # "Log on" as system user
-    AccessControl.SecurityManagement.newSecurityManager(
-        None, AccessControl.User.system)
+    newSecurityManager(None, AccessControl.User.system)
 
     # Set up the "app" object that automagically opens
     # connections
@@ -99,7 +101,7 @@
     application._p_jar.close()
 
     # "Log off" as system user
-    AccessControl.SecurityManagement.noSecurityManager()
+    noSecurityManager()
 
     # This is really ugly.  Please remember to remove Main.py before
     # Zope 2.7 and fix whatever breaks, if anything.
@@ -110,9 +112,23 @@
 
     Zope.zpublisher_transactions_manager = TransactionsManager()
     Zope.zpublisher_exception_hook = zpublisher_exception_hook
-    Zope.zpublisher_validated_hook = (
-        AccessControl.SecurityManagement.newSecurityManager)
-    Zope.__bobo_before__ = AccessControl.SecurityManagement.noSecurityManager
+    Zope.zpublisher_validated_hook = validated_hook
+    Zope.__bobo_before__ = noSecurityManager
+
+
+def validated_hook(request, user):
+    newSecurityManager(request, user)
+    if request.get(Globals.VersionNameName, ''):
+        object = user.aq_parent
+        if not getSecurityManager().checkPermission(
+            'Join/leave Versions', object):
+            request['RESPONSE'].setCookie(
+                Globals.VersionNameName,'No longer active',
+                expires="Mon, 25-Jan-1999 23:59:59 GMT",
+                path=(request['BASEPATH1'] or '/'),
+                )
+            raise Unauthorized, "You don't have permission to enter versions."
+    
 
 
 class RequestContainer(ExtensionClass.Base):