[The BFG Trac instance seems to be in disrepair, so I'm re-reporting 
this here.]

The application below should disallow the user from seeing the view 
named "x", while allowing the user to see the view named "test", which 
uses view_execution_permitted() to show whether the user is allowed to 
see "x".  In BFG 1.3b1, the "test" view says the user is allowed to see 
"x", which is incorrect: the user is never allowed to see "x" under any 
version of BFG.

from cgi import escape
from paste.httpserver import serve
from repoze.bfg.authentication import AuthTktAuthenticationPolicy
from repoze.bfg.authorization import ACLAuthorizationPolicy
from repoze.bfg.configuration import Configurator
from repoze.bfg.security import view_execution_permitted
from webob import Response

def x_view(request):
     return Response('this is private!')

def test(context, request):
     msg = 'Allow ./x? %s' % repr(view_execution_permitted(
         context, request, 'x'))
     return Response(escape(msg))

if __name__ == '__main__':
     authentication_policy = AuthTktAuthenticationPolicy('seekrit')
     authorization_policy = ACLAuthorizationPolicy()
     config = Configurator(authentication_policy=authentication_policy,
     config.add_view(x_view, name='x', permission='private')
     config.add_view(test, name='test')
     app = config.make_wsgi_app()
     serve(app, host='')

My guess is this can be fixed by changing line 989 of configuration.py 
to refer to "derived_view" instead of "view".

BTW, this seems to be yet another good release!

Repoze-dev mailing list

Reply via email to