[Zope-Checkins] SVN: Zope/trunk/src/Products/Five/browser/ - added more security tests

Yvo Schubbe cvs-admin at zope.org
Wed Jul 11 18:31:57 UTC 2012 

Log message for revision 127327:
  - added more security tests
  - fixed __ac_permissions__ created by the browser:view directive

Changed:
  U   Zope/trunk/src/Products/Five/browser/metaconfigure.py
  U   Zope/trunk/src/Products/Five/browser/tests/pages.py
  U   Zope/trunk/src/Products/Five/browser/tests/pages.txt
  U   Zope/trunk/src/Products/Five/browser/tests/pages.zcml

-=-
Modified: Zope/trunk/src/Products/Five/browser/metaconfigure.py
===================================================================
--- Zope/trunk/src/Products/Five/browser/metaconfigure.py	2012-07-11 18:21:07 UTC (rev 127326)
+++ Zope/trunk/src/Products/Five/browser/metaconfigure.py	2012-07-11 18:31:54 UTC (rev 127327)
@@ -262,6 +262,7 @@
                     )
 
         if class_ is not None:
+            cdict.update(getSecurityInfo(class_))
             bases = (class_, simple)
         else:
             bases = (simple,)

Modified: Zope/trunk/src/Products/Five/browser/tests/pages.py
===================================================================
--- Zope/trunk/src/Products/Five/browser/tests/pages.py	2012-07-11 18:21:07 UTC (rev 127326)
+++ Zope/trunk/src/Products/Five/browser/tests/pages.py	2012-07-11 18:31:54 UTC (rev 127327)
@@ -14,9 +14,11 @@
 """Test browser pages
 """
 
+from AccessControl.class_init import InitializeClass
+from AccessControl.SecurityInfo import ClassSecurityInfo
+from OFS.SimpleItem import SimpleItem
 from Products.Five import BrowserView
 from Products.Five.browser.pagetemplatefile import ViewPageTemplateFile
-from OFS.SimpleItem import SimpleItem
 
 
 class SimpleView(BrowserView):
@@ -96,3 +98,25 @@
     def method(self):
         """Docstring"""
         return
+
+
+class ProtectedView(object):
+
+    security = ClassSecurityInfo()
+
+    security.declarePublic('public_method')
+    def public_method(self):
+        """Docstring"""
+        return u'PUBLIC'
+
+    security.declareProtected('View', 'protected_method')
+    def protected_method(self):
+        """Docstring"""
+        return u'PROTECTED'
+
+    security.declarePrivate('private_method')
+    def private_method(self):
+        """Docstring"""
+        return u'PRIVATE'
+
+InitializeClass(ProtectedView)

Modified: Zope/trunk/src/Products/Five/browser/tests/pages.txt
===================================================================
--- Zope/trunk/src/Products/Five/browser/tests/pages.txt	2012-07-11 18:21:07 UTC (rev 127326)
+++ Zope/trunk/src/Products/Five/browser/tests/pages.txt	2012-07-11 18:31:54 UTC (rev 127327)
@@ -319,7 +319,53 @@
   <html><body><img alt=""
                    src="http://nohost/test_folder_1_/testoid/++resource++pattern.png" /></body></html>
 
+Security settings of the base class are combined with new settings based on the
+view permission:
 
+  >>> from AccessControl import ACCESS_PUBLIC
+  >>> view = self.folder.unrestrictedTraverse('testoid/protected_class_page')
+  >>> view.__parent__ == self.folder.testoid
+  True
+  >>> view.__ac_permissions__
+  (('View', ('protected_method',)), ('View management screens', ('', '__call__')))
+  >>> aq_acquire(view, '__call____roles__')
+  ('Manager',)
+  >>> aq_acquire(view, 'public_method__roles__') is ACCESS_PUBLIC
+  True
+  >>> aq_acquire(view, 'protected_method__roles__')
+  ['Manager', 'test_role_1_', 'Manager', 'Anonymous']
+  >>> aq_acquire(view, 'private_method__roles__') is ACCESS_PRIVATE
+  True
+
+  >>> view = self.folder.unrestrictedTraverse('testoid/protected_template_class_page')
+  >>> view.__parent__ == self.folder.testoid
+  True
+  >>> view.__ac_permissions__
+  (('View', ('protected_method',)), ('View management screens', ('', '__call__')))
+  >>> aq_acquire(view, '__call____roles__')
+  ('Manager',)
+  >>> aq_acquire(view, 'public_method__roles__') is ACCESS_PUBLIC
+  True
+  >>> aq_acquire(view, 'protected_method__roles__')
+  ['Manager', 'test_role_1_', 'Manager', 'Anonymous']
+  >>> aq_acquire(view, 'private_method__roles__') is ACCESS_PRIVATE
+  True
+
+  >>> view = self.folder.unrestrictedTraverse('testoid/protected_class_view')
+  >>> view.__parent__ == self.folder.testoid
+  True
+  >>> view.__ac_permissions__
+  (('View', ('protected_method',)), ('View management screens', ('',)))
+  >>> getattr(view, '__call____roles__', False)
+  False
+  >>> aq_acquire(view, 'public_method__roles__') is ACCESS_PUBLIC
+  True
+  >>> aq_acquire(view, 'protected_method__roles__')
+  ['Manager', 'test_role_1_', 'Manager', 'Anonymous']
+  >>> aq_acquire(view, 'private_method__roles__') is ACCESS_PRIVATE
+  True
+
+
 Clean up
 --------
 

Modified: Zope/trunk/src/Products/Five/browser/tests/pages.zcml
===================================================================
--- Zope/trunk/src/Products/Five/browser/tests/pages.zcml	2012-07-11 18:21:07 UTC (rev 127326)
+++ Zope/trunk/src/Products/Five/browser/tests/pages.zcml	2012-07-11 18:31:54 UTC (rev 127327)
@@ -250,4 +250,28 @@
       permission="zope2.Public"
       />
 
+  <!-- views with protected methods -->
+
+  <browser:page
+      for="Products.Five.tests.testing.simplecontent.ISimpleContent"
+      class=".pages.ProtectedView"
+      name="protected_class_page"
+      permission="zope2.ViewManagementScreens"
+      />
+
+  <browser:page
+      for="Products.Five.tests.testing.simplecontent.ISimpleContent"
+      class=".pages.ProtectedView"
+      template="falcon.pt"
+      name="protected_template_class_page"
+      permission="zope2.ViewManagementScreens"
+      />
+
+  <browser:view
+      for="Products.Five.tests.testing.simplecontent.ISimpleContent"
+      class=".pages.ProtectedView"
+      name="protected_class_view"
+      permission="zope2.ViewManagementScreens"
+      />
+
 </configure>

More information about the Zope-Checkins mailing list