[Zope-Checkins] SVN: Products.Five/branches/1.2/ Merge security fix from 1.4 branch r71418:71419

Alec Mitchell apm13 at columbia.edu
Wed Dec 6 18:05:40 EST 2006


Log message for revision 71473:
  Merge security fix from 1.4 branch r71418:71419
  

Changed:
  U   Products.Five/branches/1.2/CHANGES.txt
  U   Products.Five/branches/1.2/browser/metaconfigure.py
  U   Products.Five/branches/1.2/browser/tests/defaultview.zcml
  U   Products.Five/branches/1.2/browser/tests/pages.txt
  U   Products.Five/branches/1.2/browser/tests/pages.zcml
  U   Products.Five/branches/1.2/browser/tests/pages_ftest.txt
  U   Products.Five/branches/1.2/browser/tests/test_defaultview.py

-=-
Modified: Products.Five/branches/1.2/CHANGES.txt
===================================================================
--- Products.Five/branches/1.2/CHANGES.txt	2006-12-06 22:48:54 UTC (rev 71472)
+++ Products.Five/branches/1.2/CHANGES.txt	2006-12-06 23:05:40 UTC (rev 71473)
@@ -5,6 +5,9 @@
 Bugfixes
 --------
 
+* View methods which aren't explicitly declared as allowed must be marked
+  private explicitly to avoid being web publishable.
+
 * Made the __call__ method of ViewMixinForAttributes have the same signature
   as the original attribute.  This aids some pathological request parameter
   marshalling.

Modified: Products.Five/branches/1.2/browser/metaconfigure.py
===================================================================
--- Products.Five/branches/1.2/browser/metaconfigure.py	2006-12-06 22:48:54 UTC (rev 71472)
+++ Products.Five/branches/1.2/browser/metaconfigure.py	2006-12-06 23:05:40 UTC (rev 71473)
@@ -19,6 +19,7 @@
 $Id$
 """
 import os
+from inspect import ismethod
 
 from zope.interface import Interface
 from zope.component import getGlobalService, ComponentLookupError
@@ -42,6 +43,7 @@
 from Products.Five.metaclass import makeClass
 from Products.Five.security import getSecurityInfo, protectClass, \
     protectName, initializeClass
+from Products.Five.security import CheckerPrivateId
 
 import ExtensionClass
 
@@ -140,6 +142,19 @@
                 callable = protectName,
                 args = (new_class, attr, permission)
                 )
+    # Make everything else private
+    allowed = [attribute] + (allowed_attributes or [])
+    private_attrs = [name for name in dir(new_class)
+                     if (not name.startswith('_')) and
+                        (name not in allowed) and
+                        ismethod(getattr(new_class, name))]
+    for attr in private_attrs:
+        _context.action(
+            discriminator = ('five:protectName', new_class, attr),
+            callable = protectName,
+            args = (new_class, attr, CheckerPrivateId)
+            )
+    # Protect the class
     _context.action(
         discriminator = ('five:initialize:class', new_class),
         callable = initializeClass,

Modified: Products.Five/branches/1.2/browser/tests/defaultview.zcml
===================================================================
--- Products.Five/branches/1.2/browser/tests/defaultview.zcml	2006-12-06 22:48:54 UTC (rev 71472)
+++ Products.Five/branches/1.2/browser/tests/defaultview.zcml	2006-12-06 23:05:40 UTC (rev 71473)
@@ -30,6 +30,11 @@
   <five:defaultViewable
       class="Products.Five.tests.testing.simplecontent.IndexSimpleContent" />
 
+  <class class="Products.Five.tests.testing.simplecontent.IIndexSimpleContent">
+    <require permission="zope2.Public"
+             attributes="index_html"/>
+  </class>
+
   <browser:defaultView
       for="Products.Five.tests.testing.simplecontent.IIndexSimpleContent"
       name="index_html"

Modified: Products.Five/branches/1.2/browser/tests/pages.txt
===================================================================
--- Products.Five/branches/1.2/browser/tests/pages.txt	2006-12-06 22:48:54 UTC (rev 71472)
+++ Products.Five/branches/1.2/browser/tests/pages.txt	2006-12-06 23:05:40 UTC (rev 71473)
@@ -277,7 +277,7 @@
   >>> self.login('manager')
 
 Being logged in as a manager again, we find that the protected pages
-are not accessible to us:
+are accessible to us:
 
   >>> for view_name in protected_view_names:
   ...     checkRestricted(
@@ -288,7 +288,13 @@
   ...     self.folder,
   ...     'context.restrictedTraverse("testoid/eagle.method").eagle()')
 
+Even when logged in though the private methods should not be accessible:
 
+  >>> checkUnauthorized( self.folder,
+  ...             'context.restrictedTraverse("testoid/eagle.method").mouse()')
+
+
+
 Other
 -----
 

Modified: Products.Five/branches/1.2/browser/tests/pages.zcml
===================================================================
--- Products.Five/branches/1.2/browser/tests/pages.zcml	2006-12-06 22:48:54 UTC (rev 71472)
+++ Products.Five/branches/1.2/browser/tests/pages.zcml	2006-12-06 23:05:40 UTC (rev 71473)
@@ -19,7 +19,7 @@
       for="Products.Five.tests.testing.simplecontent.ISimpleContent"
       class=".pages.SimpleView"
       name="eagle.method"
-      permission="zope2.ViewManagementScreens"
+      permission="zope2.View"
       allowed_attributes="eagle"
       />
 

Modified: Products.Five/branches/1.2/browser/tests/pages_ftest.txt
===================================================================
--- Products.Five/branches/1.2/browser/tests/pages_ftest.txt	2006-12-06 22:48:54 UTC (rev 71472)
+++ Products.Five/branches/1.2/browser/tests/pages_ftest.txt	2006-12-06 23:05:40 UTC (rev 71473)
@@ -81,6 +81,13 @@
   ...     status = response.getStatus()
   ...     self.failUnless(status == 401, (status, 401, view_name))
 
+Methods of views which were not explicitly declared as allowed should not be
+accessible TTW, even if we have the permission to render the view:
+
+  >>> response = self.publish('/test_folder_1_/testoid/eagle.method/mouse',
+  ...                         basic='viewer:secret')
+  >>> self.assertEqual(response.getStatus(), 401)
+
 The same should apply for the user if he has all other permissions
 except 'View management screens':
 

Modified: Products.Five/branches/1.2/browser/tests/test_defaultview.py
===================================================================
--- Products.Five/branches/1.2/browser/tests/test_defaultview.py	2006-12-06 22:48:54 UTC (rev 71472)
+++ Products.Five/branches/1.2/browser/tests/test_defaultview.py	2006-12-06 23:05:40 UTC (rev 71473)
@@ -171,8 +171,8 @@
 
     Clean up adapter registry and others:
 
-      >>> from zope.testing.cleanup import cleanUp
-      >>> cleanUp()
+      >>> from zope.app.tests.placelesssetup import tearDown
+      >>> tearDown()
     """
 
 def test_suite():



More information about the Zope-Checkins mailing list