[Zope-Checkins] SVN: Products.Five/branches/1.4/ View methods which
aren't explicitly declared as allowed must be marked private
explicitly to avoid being web publishable.
Alec Mitchell
apm13 at columbia.edu
Tue Dec 5 13:13:34 EST 2006
Log message for revision 71419:
View methods which aren't explicitly declared as allowed must be marked private explicitly to avoid being web publishable.
Changed:
U Products.Five/branches/1.4/CHANGES.txt
U Products.Five/branches/1.4/browser/metaconfigure.py
U Products.Five/branches/1.4/browser/tests/defaultview.zcml
U Products.Five/branches/1.4/browser/tests/pages.txt
U Products.Five/branches/1.4/browser/tests/pages.zcml
U Products.Five/branches/1.4/browser/tests/pages_ftest.txt
-=-
Modified: Products.Five/branches/1.4/CHANGES.txt
===================================================================
--- Products.Five/branches/1.4/CHANGES.txt 2006-12-05 15:32:28 UTC (rev 71418)
+++ Products.Five/branches/1.4/CHANGES.txt 2006-12-05 18:13:34 UTC (rev 71419)
@@ -8,6 +8,9 @@
Bugfixes
--------
+* View methods which aren't explicitly declared as allowed must be marked
+ private explicitly to avoid being web publishable.
+
* site/metaconfigure: Local site hook now only applied once per class, so
multiple <five:localsite> tags for the same class won't cause config
errors.
Modified: Products.Five/branches/1.4/browser/metaconfigure.py
===================================================================
--- Products.Five/branches/1.4/browser/metaconfigure.py 2006-12-05 15:32:28 UTC (rev 71418)
+++ Products.Five/branches/1.4/browser/metaconfigure.py 2006-12-05 18:13:34 UTC (rev 71419)
@@ -19,6 +19,7 @@
$Id$
"""
import os
+from inspect import ismethod
from zope.interface import Interface
from zope.configuration.exceptions import ConfigurationError
@@ -39,6 +40,7 @@
from Products.Five.browser.pagetemplatefile import ZopeTwoPageTemplateFile
from Products.Five.metaclass import makeClass
from Products.Five.security import getSecurityInfo, protectClass, protectName
+from Products.Five.security import CheckerPrivateId
from Globals import InitializeClass as initializeClass
@@ -136,6 +138,19 @@
callable = protectName,
args = (new_class, attr, permission)
)
+ # Make everything else private
+ allowed = [attribute] + (allowed_attributes or [])
+ private_attrs = [name for name in dir(new_class)
+ if (not name.startswith('_')) and
+ (name not in allowed) and
+ ismethod(getattr(new_class, name))]
+ for attr in private_attrs:
+ _context.action(
+ discriminator = ('five:protectName', new_class, attr),
+ callable = protectName,
+ args = (new_class, attr, CheckerPrivateId)
+ )
+ # Protect the class
_context.action(
discriminator = ('five:initialize:class', new_class),
callable = initializeClass,
Modified: Products.Five/branches/1.4/browser/tests/defaultview.zcml
===================================================================
--- Products.Five/branches/1.4/browser/tests/defaultview.zcml 2006-12-05 15:32:28 UTC (rev 71418)
+++ Products.Five/branches/1.4/browser/tests/defaultview.zcml 2006-12-05 18:13:34 UTC (rev 71419)
@@ -30,6 +30,11 @@
<five:defaultViewable
class="Products.Five.tests.testing.simplecontent.IndexSimpleContent" />
+ <class class="Products.Five.tests.testing.simplecontent.IIndexSimpleContent">
+ <require permission="zope2.Public"
+ attributes="index_html"/>
+ </class>
+
<browser:defaultView
for="Products.Five.tests.testing.simplecontent.IIndexSimpleContent"
name="index_html"
Modified: Products.Five/branches/1.4/browser/tests/pages.txt
===================================================================
--- Products.Five/branches/1.4/browser/tests/pages.txt 2006-12-05 15:32:28 UTC (rev 71418)
+++ Products.Five/branches/1.4/browser/tests/pages.txt 2006-12-05 18:13:34 UTC (rev 71419)
@@ -279,7 +279,7 @@
>>> self.login('manager')
Being logged in as a manager again, we find that the protected pages
-are not accessible to us:
+are accessible to us:
>>> for view_name in protected_view_names:
... checkRestricted(
@@ -290,7 +290,13 @@
... self.folder,
... 'context.restrictedTraverse("testoid/eagle.method").eagle()')
+Even when logged in though the private methods should not be accessible:
+ >>> checkUnauthorized( self.folder,
+ ... 'context.restrictedTraverse("testoid/eagle.method").mouse()')
+
+
+
Other
-----
Modified: Products.Five/branches/1.4/browser/tests/pages.zcml
===================================================================
--- Products.Five/branches/1.4/browser/tests/pages.zcml 2006-12-05 15:32:28 UTC (rev 71418)
+++ Products.Five/branches/1.4/browser/tests/pages.zcml 2006-12-05 18:13:34 UTC (rev 71419)
@@ -19,7 +19,7 @@
for="Products.Five.tests.testing.simplecontent.ISimpleContent"
class=".pages.SimpleView"
name="eagle.method"
- permission="zope2.ViewManagementScreens"
+ permission="zope2.View"
allowed_attributes="eagle"
/>
Modified: Products.Five/branches/1.4/browser/tests/pages_ftest.txt
===================================================================
--- Products.Five/branches/1.4/browser/tests/pages_ftest.txt 2006-12-05 15:32:28 UTC (rev 71418)
+++ Products.Five/branches/1.4/browser/tests/pages_ftest.txt 2006-12-05 18:13:34 UTC (rev 71419)
@@ -81,6 +81,13 @@
... status = response.getStatus()
... self.failUnless(status == 401, (status, 401, view_name))
+Methods of views which were not explicitly declared as allowed should not be
+accessible TTW, even if we have the permission to render the view:
+
+ >>> response = self.publish('/test_folder_1_/testoid/eagle.method/mouse',
+ ... basic='viewer:secret')
+ >>> self.assertEqual(response.getStatus(), 401)
+
The same should apply for the user if he has all other permissions
except 'View management screens':
@@ -122,6 +129,7 @@
... self.failUnless(status == 200, (status, 200, view_name))
+
Miscellaneous
-------------
More information about the Zope-Checkins
mailing list