[Zope-Checkins] SVN: Zope/trunk/lib/python/AccessControl/requestmethod.py Add comment about postonly status
Log message for revision 73396: Add comment about postonly status Changed: U Zope/trunk/lib/python/AccessControl/requestmethod.py -=- Modified: Zope/trunk/lib/python/AccessControl/requestmethod.py === --- Zope/trunk/lib/python/AccessControl/requestmethod.py2007-03-20 09:54:37 UTC (rev 73395) +++ Zope/trunk/lib/python/AccessControl/requestmethod.py2007-03-20 09:55:32 UTC (rev 73396) @@ -72,6 +72,7 @@ return _methodtest +# For Zope versions 2.8 - 2.10 postonly = requestmethod('POST') __all__ = ('requestmethod', 'postonly') ___ Zope-Checkins maillist - Zope-Checkins@zope.org http://mail.zope.org/mailman/listinfo/zope-checkins
[Zope-Checkins] SVN: Zope/trunk/lib/python/AccessControl/requestmethod.py Add backward compatible postonly decorator
Log message for revision 73395: Add backward compatible postonly decorator Changed: U Zope/trunk/lib/python/AccessControl/requestmethod.py -=- Modified: Zope/trunk/lib/python/AccessControl/requestmethod.py === --- Zope/trunk/lib/python/AccessControl/requestmethod.py2007-03-20 09:34:33 UTC (rev 73394) +++ Zope/trunk/lib/python/AccessControl/requestmethod.py2007-03-20 09:54:37 UTC (rev 73395) @@ -72,4 +72,6 @@ return _methodtest -__all__ = ('requestmethod',) +postonly = requestmethod('POST') + +__all__ = ('requestmethod', 'postonly') ___ Zope-Checkins maillist - Zope-Checkins@zope.org http://mail.zope.org/mailman/listinfo/zope-checkins
[Zope-Checkins] SVN: Zope/hotfixes/Hotfix_20070320/ Undo botched import
Log message for revision 73393: Undo botched import Changed: A Zope/hotfixes/Hotfix_20070320/ A Zope/hotfixes/Hotfix_20070320/README.txt A Zope/hotfixes/Hotfix_20070320/__init__.py A Zope/hotfixes/Hotfix_20070320/tests/ A Zope/hotfixes/Hotfix_20070320/tests/__init__.py A Zope/hotfixes/Hotfix_20070320/tests/test_hotfix.py A Zope/hotfixes/Hotfix_20070320/version.txt -=- Added: Zope/hotfixes/Hotfix_20070320/README.txt === --- Zope/hotfixes/Hotfix_20070320/README.txt2007-03-20 09:10:28 UTC (rev 73392) +++ Zope/hotfixes/Hotfix_20070320/README.txt2007-03-20 09:11:46 UTC (rev 73393) @@ -0,0 +1,62 @@ +Hotfix-20070320 README + +This hotfix corrects a cross-site scripting vulnerability in Zope2, +where an attacker can use a hidden GET request to leverage a +authenticated user's credentials to alter security settings and/or +user accounts. + +Note that this fix only protects against GET requests, any site that +allows endusers to create auto-submitting forms (through javascript) +will remain vulnerable. + +The hotfix may be removed after upgrading to a version of Zope2 more +recent than this hotfix. + + Affected Versions + +- Zope 2.8.0 - 2.8.8 + +- Zope 2.9.0 - 2.9.6 + +- Zope 2.10.0 - 2.10.2 + +- Earlier versions of Zope 2 are affected as well, but no new + releases for older major Zope releases (Zope 2.7 and earlier) will + be made. This Hotfix may work for older versions, but this has not + been tested. + + Installing the Hotfix + +This hotfix is installed as a standard Zope2 product. The following +examples assume that your Zope instance is located at +'/var/zope/instance': please adjust according to your actual +instance path. Also note that hotfix products are *not* intended +for installation into the "software home" of your Zope. + + 1. Unpack the tarball / zipfile for the Hotfix into a temporary + location:: + + $ cd /tmp + $ tar xzf ~/Hotfix_20070320.tar.gz + + 2. Copy or move the product directory from the unpacked directory + to the 'Products' directory of your Zope instance:: + + $ cp -a /tmp/Hotfix_20070320/ /var/zope/instance/Products/ + + 3. Restart Zope:: + + $ /var/zope/instance/bin/zopectl restart + + Uninstalling the Hotfix + +After upgrading Zope to one of the fixed versions, you should remove +this hotfix product from your Zope instance. + + 1. Remove the product directory from your instance 'Products':: + + $ rm -rf /var/zope/instance/Products/Hotfix_20070320/ + + 2. Restart Zope:: + + $ /var/zope/instance/bin/zopectl restart Added: Zope/hotfixes/Hotfix_20070320/__init__.py === --- Zope/hotfixes/Hotfix_20070320/__init__.py 2007-03-20 09:10:28 UTC (rev 73392) +++ Zope/hotfixes/Hotfix_20070320/__init__.py 2007-03-20 09:11:46 UTC (rev 73393) @@ -0,0 +1,122 @@ +# +# +# Copyright (c) 2007 Zope Corporation and Contributors. All Rights Reserved. +# +# This software is subject to the provisions of the Zope Public License, +# Version 2.1 (ZPL). A copy of the ZPL should accompany this distribution. +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED +# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS +# FOR A PARTICULAR PURPOSE +# +## + +"""Hotfix_20070319 + +Protect security methods against GET requests. + +""" + +import inspect +from zExceptions import Forbidden +from ZPublisher.HTTPRequest import HTTPRequest + +def _buildFacade(spec, docstring): +"""Build a facade function, matching the decorated method in signature. + +Note that defaults are replaced by None, and _curried will reconstruct +these to preserve mutable defaults. + +""" +args = inspect.formatargspec(formatvalue=lambda v: '=None', *spec) +callargs = inspect.formatargspec(formatvalue=lambda v: '', *spec) +return 'def _facade%s:\n"""%s"""\nreturn _curried%s' % ( +args, docstring, callargs) + +def postonly(callable): +"""Only allow callable when request method is POST.""" +spec = inspect.getargspec(callable) +args, defaults = spec[0], spec[3] +try: +r_index = args.index('REQUEST') +except ValueError: +raise ValueError('No REQUEST parameter in callable signature') + +arglen = len
[Zope-Checkins] SVN: Zope/hotfixes/ Undo botched import
Log message for revision 73392: Undo botched import Changed: D Zope/hotfixes/README.txt D Zope/hotfixes/__init__.py D Zope/hotfixes/tests/ D Zope/hotfixes/version.txt -=- Deleted: Zope/hotfixes/README.txt === --- Zope/hotfixes/README.txt2007-03-20 09:09:02 UTC (rev 73391) +++ Zope/hotfixes/README.txt2007-03-20 09:10:28 UTC (rev 73392) @@ -1,62 +0,0 @@ -Hotfix-20070320 README - -This hotfix corrects a cross-site scripting vulnerability in Zope2, -where an attacker can use a hidden GET request to leverage a -authenticated user's credentials to alter security settings and/or -user accounts. - -Note that this fix only protects against GET requests, any site that -allows endusers to create auto-submitting forms (through javascript) -will remain vulnerable. - -The hotfix may be removed after upgrading to a version of Zope2 more -recent than this hotfix. - - Affected Versions - -- Zope 2.8.0 - 2.8.8 - -- Zope 2.9.0 - 2.9.6 - -- Zope 2.10.0 - 2.10.2 - -- Earlier versions of Zope 2 are affected as well, but no new - releases for older major Zope releases (Zope 2.7 and earlier) will - be made. This Hotfix may work for older versions, but this has not - been tested. - - Installing the Hotfix - -This hotfix is installed as a standard Zope2 product. The following -examples assume that your Zope instance is located at -'/var/zope/instance': please adjust according to your actual -instance path. Also note that hotfix products are *not* intended -for installation into the "software home" of your Zope. - - 1. Unpack the tarball / zipfile for the Hotfix into a temporary - location:: - - $ cd /tmp - $ tar xzf ~/Hotfix_20070320.tar.gz - - 2. Copy or move the product directory from the unpacked directory - to the 'Products' directory of your Zope instance:: - - $ cp -a /tmp/Hotfix_20070320/ /var/zope/instance/Products/ - - 3. Restart Zope:: - - $ /var/zope/instance/bin/zopectl restart - - Uninstalling the Hotfix - -After upgrading Zope to one of the fixed versions, you should remove -this hotfix product from your Zope instance. - - 1. Remove the product directory from your instance 'Products':: - - $ rm -rf /var/zope/instance/Products/Hotfix_20070320/ - - 2. Restart Zope:: - - $ /var/zope/instance/bin/zopectl restart Deleted: Zope/hotfixes/__init__.py === --- Zope/hotfixes/__init__.py 2007-03-20 09:09:02 UTC (rev 73391) +++ Zope/hotfixes/__init__.py 2007-03-20 09:10:28 UTC (rev 73392) @@ -1,122 +0,0 @@ -# -# -# Copyright (c) 2007 Zope Corporation and Contributors. All Rights Reserved. -# -# This software is subject to the provisions of the Zope Public License, -# Version 2.1 (ZPL). A copy of the ZPL should accompany this distribution. -# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED -# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS -# FOR A PARTICULAR PURPOSE -# -## - -"""Hotfix_20070319 - -Protect security methods against GET requests. - -""" - -import inspect -from zExceptions import Forbidden -from ZPublisher.HTTPRequest import HTTPRequest - -def _buildFacade(spec, docstring): -"""Build a facade function, matching the decorated method in signature. - -Note that defaults are replaced by None, and _curried will reconstruct -these to preserve mutable defaults. - -""" -args = inspect.formatargspec(formatvalue=lambda v: '=None', *spec) -callargs = inspect.formatargspec(formatvalue=lambda v: '', *spec) -return 'def _facade%s:\n"""%s"""\nreturn _curried%s' % ( -args, docstring, callargs) - -def postonly(callable): -"""Only allow callable when request method is POST.""" -spec = inspect.getargspec(callable) -args, defaults = spec[0], spec[3] -try: -r_index = args.index('REQUEST') -except ValueError: -raise ValueError('No REQUEST parameter in callable signature') - -arglen = len(args) -if defaults is not None: -defaults = zip(args[arglen - len(defaults):], defaults) -arglen -= len(defaults) - -def _curried(*args, **kw): -request = None -if len(args) > r_index: -request = args[r_index] - -if isinstance
[Zope-Checkins] SVN: Zope/hotfixes/ Import POST-only hotfix
Log message for revision 73391: Import POST-only hotfix Changed: A Zope/hotfixes/README.txt A Zope/hotfixes/__init__.py A Zope/hotfixes/tests/ A Zope/hotfixes/tests/__init__.py A Zope/hotfixes/tests/test_hotfix.py A Zope/hotfixes/version.txt -=- Added: Zope/hotfixes/README.txt === --- Zope/hotfixes/README.txt2007-03-20 09:05:56 UTC (rev 73390) +++ Zope/hotfixes/README.txt2007-03-20 09:09:02 UTC (rev 73391) @@ -0,0 +1,62 @@ +Hotfix-20070320 README + +This hotfix corrects a cross-site scripting vulnerability in Zope2, +where an attacker can use a hidden GET request to leverage a +authenticated user's credentials to alter security settings and/or +user accounts. + +Note that this fix only protects against GET requests, any site that +allows endusers to create auto-submitting forms (through javascript) +will remain vulnerable. + +The hotfix may be removed after upgrading to a version of Zope2 more +recent than this hotfix. + + Affected Versions + +- Zope 2.8.0 - 2.8.8 + +- Zope 2.9.0 - 2.9.6 + +- Zope 2.10.0 - 2.10.2 + +- Earlier versions of Zope 2 are affected as well, but no new + releases for older major Zope releases (Zope 2.7 and earlier) will + be made. This Hotfix may work for older versions, but this has not + been tested. + + Installing the Hotfix + +This hotfix is installed as a standard Zope2 product. The following +examples assume that your Zope instance is located at +'/var/zope/instance': please adjust according to your actual +instance path. Also note that hotfix products are *not* intended +for installation into the "software home" of your Zope. + + 1. Unpack the tarball / zipfile for the Hotfix into a temporary + location:: + + $ cd /tmp + $ tar xzf ~/Hotfix_20070320.tar.gz + + 2. Copy or move the product directory from the unpacked directory + to the 'Products' directory of your Zope instance:: + + $ cp -a /tmp/Hotfix_20070320/ /var/zope/instance/Products/ + + 3. Restart Zope:: + + $ /var/zope/instance/bin/zopectl restart + + Uninstalling the Hotfix + +After upgrading Zope to one of the fixed versions, you should remove +this hotfix product from your Zope instance. + + 1. Remove the product directory from your instance 'Products':: + + $ rm -rf /var/zope/instance/Products/Hotfix_20070320/ + + 2. Restart Zope:: + + $ /var/zope/instance/bin/zopectl restart Added: Zope/hotfixes/__init__.py === --- Zope/hotfixes/__init__.py 2007-03-20 09:05:56 UTC (rev 73390) +++ Zope/hotfixes/__init__.py 2007-03-20 09:09:02 UTC (rev 73391) @@ -0,0 +1,122 @@ +# +# +# Copyright (c) 2007 Zope Corporation and Contributors. All Rights Reserved. +# +# This software is subject to the provisions of the Zope Public License, +# Version 2.1 (ZPL). A copy of the ZPL should accompany this distribution. +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED +# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS +# FOR A PARTICULAR PURPOSE +# +## + +"""Hotfix_20070319 + +Protect security methods against GET requests. + +""" + +import inspect +from zExceptions import Forbidden +from ZPublisher.HTTPRequest import HTTPRequest + +def _buildFacade(spec, docstring): +"""Build a facade function, matching the decorated method in signature. + +Note that defaults are replaced by None, and _curried will reconstruct +these to preserve mutable defaults. + +""" +args = inspect.formatargspec(formatvalue=lambda v: '=None', *spec) +callargs = inspect.formatargspec(formatvalue=lambda v: '', *spec) +return 'def _facade%s:\n"""%s"""\nreturn _curried%s' % ( +args, docstring, callargs) + +def postonly(callable): +"""Only allow callable when request method is POST.""" +spec = inspect.getargspec(callable) +args, defaults = spec[0], spec[3] +try: +r_index = args.index('REQUEST') +except ValueError: +raise ValueError('No REQUEST parameter in callable signature') + +arglen = len(args) +if defaults is not None: +defaults = zip(args[arglen - len(defaults):], defaults) +arglen -= len(defaults) + +def _curried(*args, **kw): +request = None +if len(args) >
[Zope-Checkins] SVN: Zope/branches/Zope-2_8-branch/ - Backport a postonly decorator from Zope trunk's requestmethod decorator factory.
Log message for revision 73390: - Backport a postonly decorator from Zope trunk's requestmethod decorator factory. - Protect various security-setting-mutators with this decorator. Changed: U Zope/branches/Zope-2_8-branch/doc/CHANGES.txt U Zope/branches/Zope-2_8-branch/lib/python/AccessControl/Owned.py U Zope/branches/Zope-2_8-branch/lib/python/AccessControl/PermissionMapping.py U Zope/branches/Zope-2_8-branch/lib/python/AccessControl/Role.py U Zope/branches/Zope-2_8-branch/lib/python/AccessControl/User.py A Zope/branches/Zope-2_8-branch/lib/python/AccessControl/requestmethod.py A Zope/branches/Zope-2_8-branch/lib/python/AccessControl/requestmethod.txt A Zope/branches/Zope-2_8-branch/lib/python/AccessControl/tests/test_requestmethod.py U Zope/branches/Zope-2_8-branch/lib/python/OFS/DTMLMethod.py U Zope/branches/Zope-2_8-branch/lib/python/Products/PythonScripts/PythonScript.py -=- Modified: Zope/branches/Zope-2_8-branch/doc/CHANGES.txt === --- Zope/branches/Zope-2_8-branch/doc/CHANGES.txt 2007-03-20 09:03:57 UTC (rev 73389) +++ Zope/branches/Zope-2_8-branch/doc/CHANGES.txt 2007-03-20 09:05:56 UTC (rev 73390) @@ -8,6 +8,10 @@ Bugs fixed + - Protected various security mutators with a new postonly decorator. +The decorator limits method publishing to POST requests only, and +is a backport from Zope 2.11's requestmethod decorator factory. + - Collector #2263: 'field2ulines' did not convert empty string correctly. Modified: Zope/branches/Zope-2_8-branch/lib/python/AccessControl/Owned.py === --- Zope/branches/Zope-2_8-branch/lib/python/AccessControl/Owned.py 2007-03-20 09:03:57 UTC (rev 73389) +++ Zope/branches/Zope-2_8-branch/lib/python/AccessControl/Owned.py 2007-03-20 09:05:56 UTC (rev 73390) @@ -18,6 +18,7 @@ import Globals, urlparse, SpecialUsers, ExtensionClass from AccessControl import getSecurityManager, Unauthorized from Acquisition import aq_get, aq_parent, aq_base +from requestmethod import postonly UnownableOwner=[] Modified: Zope/branches/Zope-2_8-branch/lib/python/AccessControl/PermissionMapping.py === --- Zope/branches/Zope-2_8-branch/lib/python/AccessControl/PermissionMapping.py 2007-03-20 09:03:57 UTC (rev 73389) +++ Zope/branches/Zope-2_8-branch/lib/python/AccessControl/PermissionMapping.py 2007-03-20 09:05:56 UTC (rev 73390) @@ -26,10 +26,13 @@ from Owned import UnownableOwner from Permission import pname +from requestmethod import postonly class RoleManager: +# XXX: No security declarations? + def manage_getPermissionMapping(self): """Return the permission mapping for the object @@ -54,6 +57,7 @@ a({'permission_name': ac_perms[0], 'class_permission': p}) return r +@postonly def manage_setPermissionMapping(self, permission_names=[], class_permissions=[], REQUEST=None): Modified: Zope/branches/Zope-2_8-branch/lib/python/AccessControl/Role.py === --- Zope/branches/Zope-2_8-branch/lib/python/AccessControl/Role.py 2007-03-20 09:03:57 UTC (rev 73389) +++ Zope/branches/Zope-2_8-branch/lib/python/AccessControl/Role.py 2007-03-20 09:05:56 UTC (rev 73390) @@ -22,6 +22,7 @@ from App.Common import aq_base from Permission import Permission +from requestmethod import postonly DEFAULTMAXLISTUSERS=250 @@ -131,6 +132,7 @@ help_topic='Security_Manage-Role.stx', help_product='OFSP') +@postonly def manage_role(self, role_to_manage, permissions=[], REQUEST=None): """Change the permissions given to the given role. """ @@ -147,6 +149,7 @@ help_topic='Security_Manage-Acquisition.stx', help_product='OFSP') +@postonly def manage_acquiredPermissions(self, permissions=[], REQUEST=None): """Change the permissions that acquire. """ @@ -166,6 +169,7 @@ help_topic='Security_Manage-Permission.stx', help_product='OFSP') +@postonly def manage_permission(self, permission_to_manage, roles=[], acquire=0, REQUEST=None): """Change the settings for the given permission. @@ -202,6 +206,7 @@ else: return apply(self._normal_manage_access,(), kw) +@postonly def manage_changePermissions(self, REQUEST): """Change all permissions settings, called by management screen. """ @@ -349,6 +354,7 @@ dict=self.__ac_local_roles__ or {} retu
[Zope-Checkins] SVN: Zope/branches/2.9/ - Backport a postonly decorator from Zope trunk's requestmethod decorator factory.
Log message for revision 73389: - Backport a postonly decorator from Zope trunk's requestmethod decorator factory. - Protect various security-setting-mutators with this decorator. Changed: U Zope/branches/2.9/doc/CHANGES.txt U Zope/branches/2.9/lib/python/AccessControl/Owned.py U Zope/branches/2.9/lib/python/AccessControl/PermissionMapping.py U Zope/branches/2.9/lib/python/AccessControl/Role.py U Zope/branches/2.9/lib/python/AccessControl/User.py A Zope/branches/2.9/lib/python/AccessControl/requestmethod.py A Zope/branches/2.9/lib/python/AccessControl/requestmethod.txt A Zope/branches/2.9/lib/python/AccessControl/tests/test_requestmethod.py U Zope/branches/2.9/lib/python/OFS/DTMLMethod.py U Zope/branches/2.9/lib/python/Products/PythonScripts/PythonScript.py -=- Modified: Zope/branches/2.9/doc/CHANGES.txt === --- Zope/branches/2.9/doc/CHANGES.txt 2007-03-20 09:02:28 UTC (rev 73388) +++ Zope/branches/2.9/doc/CHANGES.txt 2007-03-20 09:03:57 UTC (rev 73389) @@ -8,6 +8,10 @@ Bugs fixed + - Protected various security mutators with a new postonly decorator. +The decorator limits method publishing to POST requests only, and +is a backport from Zope 2.11's requestmethod decorator factory. + - Collector #2288: @ and + should not be quoted when forming request URLs in BaseRequest and HTTPRequest Modified: Zope/branches/2.9/lib/python/AccessControl/Owned.py === --- Zope/branches/2.9/lib/python/AccessControl/Owned.py 2007-03-20 09:02:28 UTC (rev 73388) +++ Zope/branches/2.9/lib/python/AccessControl/Owned.py 2007-03-20 09:03:57 UTC (rev 73389) @@ -18,6 +18,7 @@ import Globals, urlparse, SpecialUsers, ExtensionClass from AccessControl import getSecurityManager, Unauthorized from Acquisition import aq_get, aq_parent, aq_base +from requestmethod import postonly from zope.interface import implements from interfaces import IOwned Modified: Zope/branches/2.9/lib/python/AccessControl/PermissionMapping.py === --- Zope/branches/2.9/lib/python/AccessControl/PermissionMapping.py 2007-03-20 09:02:28 UTC (rev 73388) +++ Zope/branches/2.9/lib/python/AccessControl/PermissionMapping.py 2007-03-20 09:03:57 UTC (rev 73389) @@ -28,11 +28,14 @@ from interfaces import IPermissionMappingSupport from Owned import UnownableOwner from Permission import pname +from requestmethod import postonly class RoleManager: implements(IPermissionMappingSupport) + +# XXX: No security declarations? def manage_getPermissionMapping(self): """Return the permission mapping for the object @@ -58,6 +61,7 @@ a({'permission_name': ac_perms[0], 'class_permission': p}) return r +@postonly def manage_setPermissionMapping(self, permission_names=[], class_permissions=[], REQUEST=None): Modified: Zope/branches/2.9/lib/python/AccessControl/Role.py === --- Zope/branches/2.9/lib/python/AccessControl/Role.py 2007-03-20 09:02:28 UTC (rev 73388) +++ Zope/branches/2.9/lib/python/AccessControl/Role.py 2007-03-20 09:03:57 UTC (rev 73389) @@ -24,6 +24,7 @@ from interfaces import IRoleManager from Permission import Permission +from requestmethod import postonly DEFAULTMAXLISTUSERS=250 @@ -135,6 +136,7 @@ help_topic='Security_Manage-Role.stx', help_product='OFSP') +@postonly def manage_role(self, role_to_manage, permissions=[], REQUEST=None): """Change the permissions given to the given role. """ @@ -151,6 +153,7 @@ help_topic='Security_Manage-Acquisition.stx', help_product='OFSP') +@postonly def manage_acquiredPermissions(self, permissions=[], REQUEST=None): """Change the permissions that acquire. """ @@ -170,6 +173,7 @@ help_topic='Security_Manage-Permission.stx', help_product='OFSP') +@postonly def manage_permission(self, permission_to_manage, roles=[], acquire=0, REQUEST=None): """Change the settings for the given permission. @@ -206,6 +210,7 @@ else: return apply(self._normal_manage_access,(), kw) +@postonly def manage_changePermissions(self, REQUEST): """Change all permissions settings, called by management screen. """ @@ -353,6 +358,7 @@ dict=self.__ac_local_roles__ or {} return tuple(dict.get(userid, [])) +@postonly def manage_addLocalRoles(self, userid, roles, REQUEST=None
[Zope-Checkins] SVN: Zope/branches/2.10/ - Backport a postonly decorator from Zope trunk's requestmethod decorator factory.
Log message for revision 73388: - Backport a postonly decorator from Zope trunk's requestmethod decorator factory. - Protect various security-setting-mutators with this decorator. Changed: U Zope/branches/2.10/doc/CHANGES.txt U Zope/branches/2.10/lib/python/AccessControl/Owned.py U Zope/branches/2.10/lib/python/AccessControl/PermissionMapping.py U Zope/branches/2.10/lib/python/AccessControl/Role.py U Zope/branches/2.10/lib/python/AccessControl/User.py A Zope/branches/2.10/lib/python/AccessControl/requestmethod.py A Zope/branches/2.10/lib/python/AccessControl/requestmethod.txt A Zope/branches/2.10/lib/python/AccessControl/tests/test_requestmethod.py U Zope/branches/2.10/lib/python/OFS/DTMLMethod.py U Zope/branches/2.10/lib/python/Products/PythonScripts/PythonScript.py -=- Modified: Zope/branches/2.10/doc/CHANGES.txt === --- Zope/branches/2.10/doc/CHANGES.txt 2007-03-20 08:56:31 UTC (rev 73387) +++ Zope/branches/2.10/doc/CHANGES.txt 2007-03-20 09:02:28 UTC (rev 73388) @@ -8,6 +8,10 @@ Bugs fixed + - Protected various security mutators with a new postonly decorator. +The decorator limits method publishing to POST requests only, and +is a backport from Zope 2.11's requestmethod decorator factory. + - Collector #2289: restored compatibility with PTProfiler - No longer opens a zodb connection every time a ProductDispatcher Modified: Zope/branches/2.10/lib/python/AccessControl/Owned.py === --- Zope/branches/2.10/lib/python/AccessControl/Owned.py2007-03-20 08:56:31 UTC (rev 73387) +++ Zope/branches/2.10/lib/python/AccessControl/Owned.py2007-03-20 09:02:28 UTC (rev 73388) @@ -22,6 +22,7 @@ from AccessControl.Permissions import view_management_screens from AccessControl.Permissions import take_ownership from Acquisition import aq_get, aq_parent, aq_base +from requestmethod import postonly from zope.interface import implements from interfaces import IOwned @@ -177,6 +178,7 @@ return security.checkPermission('Take ownership', self) security.declareProtected(take_ownership, 'manage_takeOwnership') +@postonly def manage_takeOwnership(self, REQUEST, RESPONSE, recursive=0): """Take ownership (responsibility) for an object. @@ -197,6 +199,7 @@ RESPONSE.redirect(REQUEST['HTTP_REFERER']) security.declareProtected(take_ownership, 'manage_changeOwnershipType') +@postonly def manage_changeOwnershipType(self, explicit=1, RESPONSE=None, REQUEST=None): """Change the type (implicit or explicit) of ownership. Modified: Zope/branches/2.10/lib/python/AccessControl/PermissionMapping.py === --- Zope/branches/2.10/lib/python/AccessControl/PermissionMapping.py 2007-03-20 08:56:31 UTC (rev 73387) +++ Zope/branches/2.10/lib/python/AccessControl/PermissionMapping.py 2007-03-20 09:02:28 UTC (rev 73388) @@ -28,11 +28,14 @@ from interfaces import IPermissionMappingSupport from Owned import UnownableOwner from Permission import pname +from requestmethod import postonly class RoleManager: implements(IPermissionMappingSupport) + +# XXX: No security declarations? def manage_getPermissionMapping(self): """Return the permission mapping for the object @@ -58,6 +61,7 @@ a({'permission_name': ac_perms[0], 'class_permission': p}) return r +@postonly def manage_setPermissionMapping(self, permission_names=[], class_permissions=[], REQUEST=None): Modified: Zope/branches/2.10/lib/python/AccessControl/Role.py === --- Zope/branches/2.10/lib/python/AccessControl/Role.py 2007-03-20 08:56:31 UTC (rev 73387) +++ Zope/branches/2.10/lib/python/AccessControl/Role.py 2007-03-20 09:02:28 UTC (rev 73388) @@ -27,6 +27,7 @@ from interfaces import IRoleManager from Permission import Permission +from requestmethod import postonly DEFAULTMAXLISTUSERS=250 @@ -128,6 +129,7 @@ help_product='OFSP') security.declareProtected(change_permissions, 'manage_role') +@postonly def manage_role(self, role_to_manage, permissions=[], REQUEST=None): """Change the permissions given to the given role. """ @@ -146,6 +148,7 @@ help_product='OFSP') security.declareProtected(change_permissions, 'manage_acquiredPermissions') +@postonly def manage_acquiredPermissions(self, permissions=[], REQUEST=None): """Change the permissions that acquire. """ @@ -167,6 +170,7 @@ help_product='OFSP')
[Zope-Checkins] SVN: Zope/trunk/ - Add a request method decorator to AccessControl, creating decorators that limit a method to one request method only.
Log message for revision 73386: - Add a request method decorator to AccessControl, creating decorators that limit a method to one request method only. - Protect various security-setting-mutators with a POST-only decorator. Changed: U Zope/trunk/doc/CHANGES.txt U Zope/trunk/lib/python/AccessControl/Owned.py U Zope/trunk/lib/python/AccessControl/PermissionMapping.py U Zope/trunk/lib/python/AccessControl/Role.py U Zope/trunk/lib/python/AccessControl/User.py A Zope/trunk/lib/python/AccessControl/requestmethod.py A Zope/trunk/lib/python/AccessControl/requestmethod.txt A Zope/trunk/lib/python/AccessControl/tests/test_requestmethod.py U Zope/trunk/lib/python/OFS/DTMLMethod.py U Zope/trunk/lib/python/Products/PythonScripts/PythonScript.py -=- Modified: Zope/trunk/doc/CHANGES.txt === --- Zope/trunk/doc/CHANGES.txt 2007-03-20 08:07:42 UTC (rev 73385) +++ Zope/trunk/doc/CHANGES.txt 2007-03-20 08:50:24 UTC (rev 73386) @@ -51,6 +51,12 @@ Features added + - A new module, AccessControl.requestmethod, provides a decorator +factory that limits decorated methods to one request method only. +For example, marking a method with @requestmethod('POST') limits +that method to POST requests only when published. Several +security-related methods have been limited to POST only. + - PythonScripts: allow usage of Python's 'sets' module - added 'fast_listen' directive to http-server and webdav-source-server Modified: Zope/trunk/lib/python/AccessControl/Owned.py === --- Zope/trunk/lib/python/AccessControl/Owned.py2007-03-20 08:07:42 UTC (rev 73385) +++ Zope/trunk/lib/python/AccessControl/Owned.py2007-03-20 08:50:24 UTC (rev 73386) @@ -22,6 +22,7 @@ from AccessControl.Permissions import view_management_screens from AccessControl.Permissions import take_ownership from Acquisition import aq_get, aq_parent, aq_base +from requestmethod import requestmethod from zope.interface import implements from interfaces import IOwned @@ -177,6 +178,7 @@ return security.checkPermission('Take ownership', self) security.declareProtected(take_ownership, 'manage_takeOwnership') +@requestmethod('POST') def manage_takeOwnership(self, REQUEST, RESPONSE, recursive=0): """Take ownership (responsibility) for an object. @@ -197,6 +199,7 @@ RESPONSE.redirect(REQUEST['HTTP_REFERER']) security.declareProtected(take_ownership, 'manage_changeOwnershipType') +@requestmethod('POST') def manage_changeOwnershipType(self, explicit=1, RESPONSE=None, REQUEST=None): """Change the type (implicit or explicit) of ownership. Modified: Zope/trunk/lib/python/AccessControl/PermissionMapping.py === --- Zope/trunk/lib/python/AccessControl/PermissionMapping.py2007-03-20 08:07:42 UTC (rev 73385) +++ Zope/trunk/lib/python/AccessControl/PermissionMapping.py2007-03-20 08:50:24 UTC (rev 73386) @@ -28,11 +28,14 @@ from interfaces import IPermissionMappingSupport from Owned import UnownableOwner from Permission import pname +from requestmethod import requestmethod class RoleManager: implements(IPermissionMappingSupport) + +# XXX: No security declarations? def manage_getPermissionMapping(self): """Return the permission mapping for the object @@ -58,6 +61,7 @@ a({'permission_name': ac_perms[0], 'class_permission': p}) return r +@requestmethod('POST') def manage_setPermissionMapping(self, permission_names=[], class_permissions=[], REQUEST=None): Modified: Zope/trunk/lib/python/AccessControl/Role.py === --- Zope/trunk/lib/python/AccessControl/Role.py 2007-03-20 08:07:42 UTC (rev 73385) +++ Zope/trunk/lib/python/AccessControl/Role.py 2007-03-20 08:50:24 UTC (rev 73386) @@ -28,6 +28,7 @@ from interfaces import IRoleManager from Permission import Permission +from requestmethod import requestmethod DEFAULTMAXLISTUSERS=250 @@ -129,6 +130,7 @@ help_product='OFSP') security.declareProtected(change_permissions, 'manage_role') +@requestmethod('POST') def manage_role(self, role_to_manage, permissions=[], REQUEST=None): """Change the permissions given to the given role. """ @@ -147,6 +149,7 @@ help_product='OFSP') security.declareProtected(change_permissions, 'manage_acquiredPermissions') +@requestmethod('POST') def manage_acquiredPermissions(self, permissions=[], REQUEST=None): """Change the permissions that acquire. """ @