[Zope-Checkins] SVN: Products.Five/branches/1.3/ Protect names from
interface superclasses.
Tres Seaver
tseaver at palladion.com
Mon Jun 25 11:11:31 EDT 2007
Log message for revision 77049:
Protect names from interface superclasses.
o See http://www.zope.org/Collectors/Zope/2333
Changed:
U Products.Five/branches/1.3/CHANGES.txt
U Products.Five/branches/1.3/browser/metaconfigure.py
U Products.Five/branches/1.3/tests/test_security.py
-=-
Modified: Products.Five/branches/1.3/CHANGES.txt
===================================================================
--- Products.Five/branches/1.3/CHANGES.txt 2007-06-25 15:00:17 UTC (rev 77048)
+++ Products.Five/branches/1.3/CHANGES.txt 2007-06-25 15:11:31 UTC (rev 77049)
@@ -5,6 +5,9 @@
Five 1.3.9 (svn/unreleased)
===========================
+* Five.browser.metaconfigure.page didn't protect names from interface
+ superclasses (http://www.zope.org/Collectors/Zope/2333)
+
* ObjectCopiedEvent was not dispatched to sublocations.
(http://www.zope.org/Collectors/Zope/2307)
Modified: Products.Five/branches/1.3/browser/metaconfigure.py
===================================================================
--- Products.Five/branches/1.3/browser/metaconfigure.py 2007-06-25 15:00:17 UTC (rev 77048)
+++ Products.Five/branches/1.3/browser/metaconfigure.py 2007-06-25 15:11:31 UTC (rev 77049)
@@ -58,7 +58,7 @@
allowed_attributes = []
if allowed_interface is not None:
for interface in allowed_interface:
- allowed_attributes.extend(interface.names())
+ allowed_attributes.extend(interface.names(all=True))
if attribute != '__call__':
if template:
Modified: Products.Five/branches/1.3/tests/test_security.py
===================================================================
--- Products.Five/branches/1.3/tests/test_security.py 2007-06-25 15:00:17 UTC (rev 77048)
+++ Products.Five/branches/1.3/tests/test_security.py 2007-06-25 15:11:31 UTC (rev 77049)
@@ -22,9 +22,21 @@
from zope.interface import Interface, implements
from AccessControl import ClassSecurityInfo
-class IDummy(Interface):
+class ISuperDummy(Interface):
+ """
+ """
+
+ def superMethod():
+ """
+ """
+
+class IDummy(ISuperDummy):
"""Just a marker interface"""
+ def foo():
+ """
+ """
+
class Dummy1:
implements(IDummy)
def foo(self): pass
@@ -32,6 +44,7 @@
def baz(self): pass
def keg(self): pass
def wot(self): pass
+ def superMethod(self): pass
class Dummy2(Dummy1):
security = ClassSecurityInfo()
@@ -136,6 +149,78 @@
>>> tearDown()
"""
+def test_allowed_interface():
+ """This test demonstrates that allowed_interface security declarations work
+ as expected.
+
+ >>> from zope.app.testing.placelesssetup import setUp, tearDown
+ >>> setUp()
+
+ Before we can make security declarations through ZCML, we need to
+ register the directive and the permission:
+
+ >>> import Products.Five
+ >>> from Products.Five import zcml
+ >>> zcml.load_config('meta.zcml', Products.Five)
+ >>> import Products.Five.browser
+ >>> zcml.load_config('meta.zcml', Products.Five.browser)
+ >>> zcml.load_config('permissions.zcml', Products.Five)
+
+ Now we provide some ZCML declarations for ``Dummy1``:
+
+ >>> configure_zcml = '''
+ ... <configure xmlns="http://namespaces.zope.org/zope"
+ ... xmlns:browser="http://namespaces.zope.org/browser">
+ ... <browser:page
+ ... for="*"
+ ... name="testview"
+ ... permission="zope2.ViewManagementScreens"
+ ... class="Products.Five.tests.test_security.Dummy1"
+ ... allowed_interface="Products.Five.tests.test_security.IDummy" />
+ ... </configure>
+ ... '''
+ >>> zcml.load_string(configure_zcml)
+
+ We are going to check that roles are correctly setup, so we need getRoles.
+
+ >>> from AccessControl.ZopeSecurityPolicy import getRoles
+ >>> from AccessControl import ACCESS_PRIVATE
+
+ Due to the nasty voodoo involved in Five's handling of view classes,
+ browser:page doesn't apply security to Dummy1, but rather to the "magic"
+ view class that is created at ZCML parse time. That means we can't just
+ instanciate with Dummy1() directly and expect a security-aware instance :(.
+ Instead, we'll have to actually lookup the view. The view was declared for
+ "*", so we just use an instance of Dummy1 ;-).
+
+ Instanciate a Dummy1 object to test with.
+
+ >>> from Products.Five.tests.test_security import Dummy1
+ >>> dummy1 = Dummy1()
+ >>> from zope.component import getMultiAdapter
+ >>> from zope.publisher.browser import TestRequest
+ >>> request = TestRequest()
+ >>> view = getMultiAdapter((dummy1, request), name="testview")
+
+ As 'foo' is defined in IDummy, it should have the 'Manager' role.
+
+ >>> getRoles(view, 'foo', view.foo, ('Def',))
+ ('Manager',)
+
+ As 'wot' is not defined in IDummy, it should be private.
+
+ >>> getRoles(view, 'wot', view.wot, ('Def',)) is ACCESS_PRIVATE
+ True
+
+ But 'superMethod' is defined on IDummy by inheritance from ISuperDummy, and
+ so should have the 'Manager' role setup.
+
+ >>> getRoles(view, 'superMethod', view.superMethod, ('Def',))
+ ('Manager',)
+
+ >>> tearDown()
+ """
+
def test_checkPermission():
"""
Test checkPermission
More information about the Zope-Checkins
mailing list