[Zope-Checkins] SVN: Zope/branches/2.12/ LP #578326: Issue a warning if someone specifies a non-public permission attribute in the browser:view directive. This attribute has never been supported in Zope 2. This should at least make it obvious where people might have been relying on false security assumptions.
Hanno Schlichting
hannosch at hannosch.eu
Sat Jun 26 11:57:34 EDT 2010
Log message for revision 113898:
LP #578326: Issue a warning if someone specifies a non-public permission attribute in the browser:view directive. This attribute has never been supported in Zope 2. This should at least make it obvious where people might have been relying on false security assumptions.
Changed:
U Zope/branches/2.12/doc/CHANGES.rst
U Zope/branches/2.12/src/Products/Five/browser/meta.zcml
U Zope/branches/2.12/src/Products/Five/browser/metaconfigure.py
-=-
Modified: Zope/branches/2.12/doc/CHANGES.rst
===================================================================
--- Zope/branches/2.12/doc/CHANGES.rst 2010-06-26 15:33:27 UTC (rev 113897)
+++ Zope/branches/2.12/doc/CHANGES.rst 2010-06-26 15:57:34 UTC (rev 113898)
@@ -11,6 +11,9 @@
Bugs Fixed
++++++++++
+- LP #578326: Issue a warning if someone specifies a non-public permission
+ attribute in the browser:view directive. This attribute has never been
+ supported in Zope 2.
2.12.8 (2010-06-25)
Modified: Zope/branches/2.12/src/Products/Five/browser/meta.zcml
===================================================================
--- Zope/branches/2.12/src/Products/Five/browser/meta.zcml 2010-06-26 15:33:27 UTC (rev 113897)
+++ Zope/branches/2.12/src/Products/Five/browser/meta.zcml 2010-06-26 15:57:34 UTC (rev 113898)
@@ -42,7 +42,7 @@
<meta:complexDirective
name="view"
- schema="zope.app.publisher.browser.metadirectives.IViewDirective"
+ schema=".metaconfigure.IFiveViewDirective"
handler=".metaconfigure.view"
>
Modified: Zope/branches/2.12/src/Products/Five/browser/metaconfigure.py
===================================================================
--- Zope/branches/2.12/src/Products/Five/browser/metaconfigure.py 2010-06-26 15:33:27 UTC (rev 113897)
+++ Zope/branches/2.12/src/Products/Five/browser/metaconfigure.py 2010-06-26 15:57:34 UTC (rev 113898)
@@ -20,6 +20,7 @@
"""
import os
from inspect import ismethod
+import warnings
from zope import component
from zope.interface import implements
@@ -31,6 +32,7 @@
from zope.publisher.interfaces.browser import IDefaultBrowserLayer
from zope.publisher.interfaces.browser import IBrowserPublisher
from zope.publisher.interfaces.browser import IBrowserRequest
+from zope.security.zcml import Permission
import zope.app.publisher.browser.viewmeta
from zope.app.publisher.browser.viewmeta import providesCallable
@@ -177,8 +179,44 @@
# view (named view with pages)
+from zope.app.publisher.browser.metadirectives import IViewDirective
+
+class IFiveViewDirective(IViewDirective):
+
+ permission = Permission(
+ title=u"Permission",
+ description=u"The permission needed to use the view.",
+ required=False,
+ )
+
+
class view(zope.app.publisher.browser.viewmeta.view):
+ # Let the permission default to zope.Public and not be required
+ # We should support this, as more users are expecting it to work.
+ def __init__(self, _context, for_, permission=None,
+ name='', layer=IDefaultBrowserLayer, class_=None,
+ allowed_interface=None, allowed_attributes=None,
+ menu=None, title=None, provides=Interface,
+ ):
+ if permission is None:
+ permission = 'zope.Public'
+ elif permission in ('zope.Public', 'zope2.Public'):
+ # No need to warn about the default case
+ pass
+ else:
+ warnings.warn("The permission option of the <browser:view /> "
+ "directive is not supported in Zope 2. " + \
+ "Ignored for %s in %s" %
+ (str(class_), _context.info), stacklevel=3)
+
+ super(view, self).__init__(
+ _context, for_, permission=permission, name=name, layer=layer,
+ class_=class_, allowed_interface=allowed_interface,
+ allowed_attributes=allowed_attributes, menu=menu, title=title,
+ provides=provides)
+
+
def __call__(self):
(_context, name, for_, permission, layer, class_,
allowed_interface, allowed_attributes) = self.args
More information about the Zope-Checkins
mailing list