[Zope-Checkins] SVN: Zope/trunk/ Protect names from interface superclasses.

Tres Seaver tseaver at palladion.com
Mon Jun 25 11:42:41 EDT 2007


Log message for revision 77058:
  Protect names from interface superclasses.
  
  o See http://www.zope.org/Collectors/Zope/2333
  
  

Changed:
  U   Zope/trunk/doc/CHANGES.txt
  U   Zope/trunk/lib/python/Products/Five/browser/metaconfigure.py
  U   Zope/trunk/lib/python/Products/Five/tests/test_security.py

-=-
Modified: Zope/trunk/doc/CHANGES.txt
===================================================================
--- Zope/trunk/doc/CHANGES.txt	2007-06-25 15:24:46 UTC (rev 77057)
+++ Zope/trunk/doc/CHANGES.txt	2007-06-25 15:42:39 UTC (rev 77058)
@@ -97,6 +97,9 @@
 
     Bugs Fixed
 
+      - Five.browser.metaconfigure.page didn't protect names from interface
+        superclasses (http://www.zope.org/Collectors/Zope/2333)
+
       - Fixed bug in ZPublisher.BaseRequest with persistent site managers.
         An EndRequestEvent was thrown after the ZODB connection was already
         closed and thus the site manager not being available anymore.

Modified: Zope/trunk/lib/python/Products/Five/browser/metaconfigure.py
===================================================================
--- Zope/trunk/lib/python/Products/Five/browser/metaconfigure.py	2007-06-25 15:24:46 UTC (rev 77057)
+++ Zope/trunk/lib/python/Products/Five/browser/metaconfigure.py	2007-06-25 15:42:39 UTC (rev 77058)
@@ -60,7 +60,7 @@
         allowed_attributes = []
     if allowed_interface is not None:
         for interface in allowed_interface:
-            allowed_attributes.extend(interface.names())
+            allowed_attributes.extend(interface.names(all=True))
 
     if attribute != '__call__':
         if template:

Modified: Zope/trunk/lib/python/Products/Five/tests/test_security.py
===================================================================
--- Zope/trunk/lib/python/Products/Five/tests/test_security.py	2007-06-25 15:24:46 UTC (rev 77057)
+++ Zope/trunk/lib/python/Products/Five/tests/test_security.py	2007-06-25 15:42:39 UTC (rev 77058)
@@ -22,9 +22,21 @@
 from zope.interface import Interface, implements
 from AccessControl import ClassSecurityInfo
 
-class IDummy(Interface):
+class ISuperDummy(Interface):
+    """
+    """
+
+    def superMethod():
+        """
+        """
+
+class IDummy(ISuperDummy):
     """Just a marker interface"""
 
+    def foo():
+        """
+        """
+
 class Dummy1:
     implements(IDummy)
     def foo(self): pass
@@ -32,6 +44,7 @@
     def baz(self): pass
     def keg(self): pass
     def wot(self): pass
+    def superMethod(self): pass
 
 class Dummy2(Dummy1):
     security = ClassSecurityInfo()
@@ -136,6 +149,78 @@
       >>> tearDown()
     """
 
+def test_allowed_interface():
+    """This test demonstrates that allowed_interface security declarations work
+    as expected.
+
+      >>> from zope.app.testing.placelesssetup import setUp, tearDown
+      >>> setUp()
+
+    Before we can make security declarations through ZCML, we need to
+    register the directive and the permission:
+
+      >>> import Products.Five
+      >>> from Products.Five import zcml
+      >>> zcml.load_config('meta.zcml', Products.Five)
+      >>> import Products.Five.browser
+      >>> zcml.load_config('meta.zcml', Products.Five.browser)
+      >>> zcml.load_config('permissions.zcml', Products.Five)
+
+    Now we provide some ZCML declarations for ``Dummy1``:
+
+      >>> configure_zcml = '''
+      ... <configure xmlns="http://namespaces.zope.org/zope"
+      ...            xmlns:browser="http://namespaces.zope.org/browser">
+      ...   <browser:page
+      ...       for="*"
+      ...       name="testview"
+      ...       permission="zope2.ViewManagementScreens"
+      ...       class="Products.Five.tests.test_security.Dummy1"
+      ...       allowed_interface="Products.Five.tests.test_security.IDummy" />
+      ... </configure>
+      ... '''
+      >>> zcml.load_string(configure_zcml)
+
+    We are going to check that roles are correctly setup, so we need getRoles.
+
+      >>> from AccessControl.ZopeSecurityPolicy import getRoles
+      >>> from AccessControl import ACCESS_PRIVATE
+
+    Due to the nasty voodoo involved in Five's handling of view classes,
+    browser:page doesn't apply security to Dummy1, but rather to the "magic"
+    view class that is created at ZCML parse time.  That means we can't just
+    instanciate with Dummy1() directly and expect a security-aware instance :(.
+    Instead, we'll have to actually lookup the view.  The view was declared for
+    "*", so we just use an instance of Dummy1 ;-).
+
+    Instanciate a Dummy1 object to test with.
+
+      >>> from Products.Five.tests.test_security import Dummy1
+      >>> dummy1 = Dummy1()
+      >>> from zope.component import getMultiAdapter
+      >>> from zope.publisher.browser import TestRequest
+      >>> request = TestRequest()
+      >>> view = getMultiAdapter((dummy1, request), name="testview")
+
+    As 'foo' is defined in IDummy, it should have the 'Manager' role.
+
+      >>> getRoles(view, 'foo', view.foo, ('Def',))
+      ('Manager',)
+
+    As 'wot' is not defined in IDummy, it should be private.
+
+      >>> getRoles(view, 'wot', view.wot, ('Def',)) is ACCESS_PRIVATE
+      True
+
+    But 'superMethod' is defined on IDummy by inheritance from ISuperDummy, and
+    so should have the 'Manager' role setup.
+
+      >>> getRoles(view, 'superMethod', view.superMethod, ('Def',))
+      ('Manager',)
+
+      >>> tearDown()
+    """
+
 def test_checkPermission():
     """
     Test checkPermission



More information about the Zope-Checkins mailing list