[Zope-Checkins] SVN: Zope/trunk/lib/python/AccessControl/requestmethod.py Add comment about postonly status
Log message for revision 73396:
Add comment about postonly status
Changed:
U Zope/trunk/lib/python/AccessControl/requestmethod.py
-=-
Modified: Zope/trunk/lib/python/AccessControl/requestmethod.py
===
--- Zope/trunk/lib/python/AccessControl/requestmethod.py2007-03-20
09:54:37 UTC (rev 73395)
+++ Zope/trunk/lib/python/AccessControl/requestmethod.py2007-03-20
09:55:32 UTC (rev 73396)
@@ -72,6 +72,7 @@
return _methodtest
+# For Zope versions 2.8 - 2.10
postonly = requestmethod('POST')
__all__ = ('requestmethod', 'postonly')
___
Zope-Checkins maillist - Zope-Checkins@zope.org
http://mail.zope.org/mailman/listinfo/zope-checkins
[Zope-Checkins] SVN: Zope/trunk/lib/python/AccessControl/requestmethod.py Add backward compatible postonly decorator
Log message for revision 73395:
Add backward compatible postonly decorator
Changed:
U Zope/trunk/lib/python/AccessControl/requestmethod.py
-=-
Modified: Zope/trunk/lib/python/AccessControl/requestmethod.py
===
--- Zope/trunk/lib/python/AccessControl/requestmethod.py2007-03-20
09:34:33 UTC (rev 73394)
+++ Zope/trunk/lib/python/AccessControl/requestmethod.py2007-03-20
09:54:37 UTC (rev 73395)
@@ -72,4 +72,6 @@
return _methodtest
-__all__ = ('requestmethod',)
+postonly = requestmethod('POST')
+
+__all__ = ('requestmethod', 'postonly')
___
Zope-Checkins maillist - Zope-Checkins@zope.org
http://mail.zope.org/mailman/listinfo/zope-checkins
[Zope-Checkins] SVN: Zope/hotfixes/Hotfix_20070320/ Undo botched import
Log message for revision 73393:
Undo botched import
Changed:
A Zope/hotfixes/Hotfix_20070320/
A Zope/hotfixes/Hotfix_20070320/README.txt
A Zope/hotfixes/Hotfix_20070320/__init__.py
A Zope/hotfixes/Hotfix_20070320/tests/
A Zope/hotfixes/Hotfix_20070320/tests/__init__.py
A Zope/hotfixes/Hotfix_20070320/tests/test_hotfix.py
A Zope/hotfixes/Hotfix_20070320/version.txt
-=-
Added: Zope/hotfixes/Hotfix_20070320/README.txt
===
--- Zope/hotfixes/Hotfix_20070320/README.txt2007-03-20 09:10:28 UTC (rev
73392)
+++ Zope/hotfixes/Hotfix_20070320/README.txt2007-03-20 09:11:46 UTC (rev
73393)
@@ -0,0 +1,62 @@
+Hotfix-20070320 README
+
+This hotfix corrects a cross-site scripting vulnerability in Zope2,
+where an attacker can use a hidden GET request to leverage a
+authenticated user's credentials to alter security settings and/or
+user accounts.
+
+Note that this fix only protects against GET requests, any site that
+allows endusers to create auto-submitting forms (through javascript)
+will remain vulnerable.
+
+The hotfix may be removed after upgrading to a version of Zope2 more
+recent than this hotfix.
+
+ Affected Versions
+
+- Zope 2.8.0 - 2.8.8
+
+- Zope 2.9.0 - 2.9.6
+
+- Zope 2.10.0 - 2.10.2
+
+- Earlier versions of Zope 2 are affected as well, but no new
+ releases for older major Zope releases (Zope 2.7 and earlier) will
+ be made. This Hotfix may work for older versions, but this has not
+ been tested.
+
+ Installing the Hotfix
+
+This hotfix is installed as a standard Zope2 product. The following
+examples assume that your Zope instance is located at
+'/var/zope/instance': please adjust according to your actual
+instance path. Also note that hotfix products are *not* intended
+for installation into the "software home" of your Zope.
+
+ 1. Unpack the tarball / zipfile for the Hotfix into a temporary
+ location::
+
+ $ cd /tmp
+ $ tar xzf ~/Hotfix_20070320.tar.gz
+
+ 2. Copy or move the product directory from the unpacked directory
+ to the 'Products' directory of your Zope instance::
+
+ $ cp -a /tmp/Hotfix_20070320/ /var/zope/instance/Products/
+
+ 3. Restart Zope::
+
+ $ /var/zope/instance/bin/zopectl restart
+
+ Uninstalling the Hotfix
+
+After upgrading Zope to one of the fixed versions, you should remove
+this hotfix product from your Zope instance.
+
+ 1. Remove the product directory from your instance 'Products'::
+
+ $ rm -rf /var/zope/instance/Products/Hotfix_20070320/
+
+ 2. Restart Zope::
+
+ $ /var/zope/instance/bin/zopectl restart
Added: Zope/hotfixes/Hotfix_20070320/__init__.py
===
--- Zope/hotfixes/Hotfix_20070320/__init__.py 2007-03-20 09:10:28 UTC (rev
73392)
+++ Zope/hotfixes/Hotfix_20070320/__init__.py 2007-03-20 09:11:46 UTC (rev
73393)
@@ -0,0 +1,122 @@
+#
+#
+# Copyright (c) 2007 Zope Corporation and Contributors. All Rights Reserved.
+#
+# This software is subject to the provisions of the Zope Public License,
+# Version 2.1 (ZPL). A copy of the ZPL should accompany this distribution.
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED
+# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
+# FOR A PARTICULAR PURPOSE
+#
+##
+
+"""Hotfix_20070319
+
+Protect security methods against GET requests.
+
+"""
+
+import inspect
+from zExceptions import Forbidden
+from ZPublisher.HTTPRequest import HTTPRequest
+
+def _buildFacade(spec, docstring):
+"""Build a facade function, matching the decorated method in signature.
+
+Note that defaults are replaced by None, and _curried will reconstruct
+these to preserve mutable defaults.
+
+"""
+args = inspect.formatargspec(formatvalue=lambda v: '=None', *spec)
+callargs = inspect.formatargspec(formatvalue=lambda v: '', *spec)
+return 'def _facade%s:\n"""%s"""\nreturn _curried%s' % (
+args, docstring, callargs)
+
+def postonly(callable):
+"""Only allow callable when request method is POST."""
+spec = inspect.getargspec(callable)
+args, defaults = spec[0], spec[3]
+try:
+r_index = args.index('REQUEST')
+except ValueError:
+raise ValueError('No REQUEST parameter in callable signature')
+
+arglen = len
[Zope-Checkins] SVN: Zope/hotfixes/ Undo botched import
Log message for revision 73392:
Undo botched import
Changed:
D Zope/hotfixes/README.txt
D Zope/hotfixes/__init__.py
D Zope/hotfixes/tests/
D Zope/hotfixes/version.txt
-=-
Deleted: Zope/hotfixes/README.txt
===
--- Zope/hotfixes/README.txt2007-03-20 09:09:02 UTC (rev 73391)
+++ Zope/hotfixes/README.txt2007-03-20 09:10:28 UTC (rev 73392)
@@ -1,62 +0,0 @@
-Hotfix-20070320 README
-
-This hotfix corrects a cross-site scripting vulnerability in Zope2,
-where an attacker can use a hidden GET request to leverage a
-authenticated user's credentials to alter security settings and/or
-user accounts.
-
-Note that this fix only protects against GET requests, any site that
-allows endusers to create auto-submitting forms (through javascript)
-will remain vulnerable.
-
-The hotfix may be removed after upgrading to a version of Zope2 more
-recent than this hotfix.
-
- Affected Versions
-
-- Zope 2.8.0 - 2.8.8
-
-- Zope 2.9.0 - 2.9.6
-
-- Zope 2.10.0 - 2.10.2
-
-- Earlier versions of Zope 2 are affected as well, but no new
- releases for older major Zope releases (Zope 2.7 and earlier) will
- be made. This Hotfix may work for older versions, but this has not
- been tested.
-
- Installing the Hotfix
-
-This hotfix is installed as a standard Zope2 product. The following
-examples assume that your Zope instance is located at
-'/var/zope/instance': please adjust according to your actual
-instance path. Also note that hotfix products are *not* intended
-for installation into the "software home" of your Zope.
-
- 1. Unpack the tarball / zipfile for the Hotfix into a temporary
- location::
-
- $ cd /tmp
- $ tar xzf ~/Hotfix_20070320.tar.gz
-
- 2. Copy or move the product directory from the unpacked directory
- to the 'Products' directory of your Zope instance::
-
- $ cp -a /tmp/Hotfix_20070320/ /var/zope/instance/Products/
-
- 3. Restart Zope::
-
- $ /var/zope/instance/bin/zopectl restart
-
- Uninstalling the Hotfix
-
-After upgrading Zope to one of the fixed versions, you should remove
-this hotfix product from your Zope instance.
-
- 1. Remove the product directory from your instance 'Products'::
-
- $ rm -rf /var/zope/instance/Products/Hotfix_20070320/
-
- 2. Restart Zope::
-
- $ /var/zope/instance/bin/zopectl restart
Deleted: Zope/hotfixes/__init__.py
===
--- Zope/hotfixes/__init__.py 2007-03-20 09:09:02 UTC (rev 73391)
+++ Zope/hotfixes/__init__.py 2007-03-20 09:10:28 UTC (rev 73392)
@@ -1,122 +0,0 @@
-#
-#
-# Copyright (c) 2007 Zope Corporation and Contributors. All Rights Reserved.
-#
-# This software is subject to the provisions of the Zope Public License,
-# Version 2.1 (ZPL). A copy of the ZPL should accompany this distribution.
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED
-# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
-# FOR A PARTICULAR PURPOSE
-#
-##
-
-"""Hotfix_20070319
-
-Protect security methods against GET requests.
-
-"""
-
-import inspect
-from zExceptions import Forbidden
-from ZPublisher.HTTPRequest import HTTPRequest
-
-def _buildFacade(spec, docstring):
-"""Build a facade function, matching the decorated method in signature.
-
-Note that defaults are replaced by None, and _curried will reconstruct
-these to preserve mutable defaults.
-
-"""
-args = inspect.formatargspec(formatvalue=lambda v: '=None', *spec)
-callargs = inspect.formatargspec(formatvalue=lambda v: '', *spec)
-return 'def _facade%s:\n"""%s"""\nreturn _curried%s' % (
-args, docstring, callargs)
-
-def postonly(callable):
-"""Only allow callable when request method is POST."""
-spec = inspect.getargspec(callable)
-args, defaults = spec[0], spec[3]
-try:
-r_index = args.index('REQUEST')
-except ValueError:
-raise ValueError('No REQUEST parameter in callable signature')
-
-arglen = len(args)
-if defaults is not None:
-defaults = zip(args[arglen - len(defaults):], defaults)
-arglen -= len(defaults)
-
-def _curried(*args, **kw):
-request = None
-if len(args) > r_index:
-request = args[r_index]
-
-if isinstance
[Zope-Checkins] SVN: Zope/hotfixes/ Import POST-only hotfix
Log message for revision 73391:
Import POST-only hotfix
Changed:
A Zope/hotfixes/README.txt
A Zope/hotfixes/__init__.py
A Zope/hotfixes/tests/
A Zope/hotfixes/tests/__init__.py
A Zope/hotfixes/tests/test_hotfix.py
A Zope/hotfixes/version.txt
-=-
Added: Zope/hotfixes/README.txt
===
--- Zope/hotfixes/README.txt2007-03-20 09:05:56 UTC (rev 73390)
+++ Zope/hotfixes/README.txt2007-03-20 09:09:02 UTC (rev 73391)
@@ -0,0 +1,62 @@
+Hotfix-20070320 README
+
+This hotfix corrects a cross-site scripting vulnerability in Zope2,
+where an attacker can use a hidden GET request to leverage a
+authenticated user's credentials to alter security settings and/or
+user accounts.
+
+Note that this fix only protects against GET requests, any site that
+allows endusers to create auto-submitting forms (through javascript)
+will remain vulnerable.
+
+The hotfix may be removed after upgrading to a version of Zope2 more
+recent than this hotfix.
+
+ Affected Versions
+
+- Zope 2.8.0 - 2.8.8
+
+- Zope 2.9.0 - 2.9.6
+
+- Zope 2.10.0 - 2.10.2
+
+- Earlier versions of Zope 2 are affected as well, but no new
+ releases for older major Zope releases (Zope 2.7 and earlier) will
+ be made. This Hotfix may work for older versions, but this has not
+ been tested.
+
+ Installing the Hotfix
+
+This hotfix is installed as a standard Zope2 product. The following
+examples assume that your Zope instance is located at
+'/var/zope/instance': please adjust according to your actual
+instance path. Also note that hotfix products are *not* intended
+for installation into the "software home" of your Zope.
+
+ 1. Unpack the tarball / zipfile for the Hotfix into a temporary
+ location::
+
+ $ cd /tmp
+ $ tar xzf ~/Hotfix_20070320.tar.gz
+
+ 2. Copy or move the product directory from the unpacked directory
+ to the 'Products' directory of your Zope instance::
+
+ $ cp -a /tmp/Hotfix_20070320/ /var/zope/instance/Products/
+
+ 3. Restart Zope::
+
+ $ /var/zope/instance/bin/zopectl restart
+
+ Uninstalling the Hotfix
+
+After upgrading Zope to one of the fixed versions, you should remove
+this hotfix product from your Zope instance.
+
+ 1. Remove the product directory from your instance 'Products'::
+
+ $ rm -rf /var/zope/instance/Products/Hotfix_20070320/
+
+ 2. Restart Zope::
+
+ $ /var/zope/instance/bin/zopectl restart
Added: Zope/hotfixes/__init__.py
===
--- Zope/hotfixes/__init__.py 2007-03-20 09:05:56 UTC (rev 73390)
+++ Zope/hotfixes/__init__.py 2007-03-20 09:09:02 UTC (rev 73391)
@@ -0,0 +1,122 @@
+#
+#
+# Copyright (c) 2007 Zope Corporation and Contributors. All Rights Reserved.
+#
+# This software is subject to the provisions of the Zope Public License,
+# Version 2.1 (ZPL). A copy of the ZPL should accompany this distribution.
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED
+# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
+# FOR A PARTICULAR PURPOSE
+#
+##
+
+"""Hotfix_20070319
+
+Protect security methods against GET requests.
+
+"""
+
+import inspect
+from zExceptions import Forbidden
+from ZPublisher.HTTPRequest import HTTPRequest
+
+def _buildFacade(spec, docstring):
+"""Build a facade function, matching the decorated method in signature.
+
+Note that defaults are replaced by None, and _curried will reconstruct
+these to preserve mutable defaults.
+
+"""
+args = inspect.formatargspec(formatvalue=lambda v: '=None', *spec)
+callargs = inspect.formatargspec(formatvalue=lambda v: '', *spec)
+return 'def _facade%s:\n"""%s"""\nreturn _curried%s' % (
+args, docstring, callargs)
+
+def postonly(callable):
+"""Only allow callable when request method is POST."""
+spec = inspect.getargspec(callable)
+args, defaults = spec[0], spec[3]
+try:
+r_index = args.index('REQUEST')
+except ValueError:
+raise ValueError('No REQUEST parameter in callable signature')
+
+arglen = len(args)
+if defaults is not None:
+defaults = zip(args[arglen - len(defaults):], defaults)
+arglen -= len(defaults)
+
+def _curried(*args, **kw):
+request = None
+if len(args) >
[Zope-Checkins] SVN: Zope/branches/Zope-2_8-branch/ - Backport a postonly decorator from Zope trunk's requestmethod decorator factory.
Log message for revision 73390:
- Backport a postonly decorator from Zope trunk's requestmethod decorator
factory.
- Protect various security-setting-mutators with this decorator.
Changed:
U Zope/branches/Zope-2_8-branch/doc/CHANGES.txt
U Zope/branches/Zope-2_8-branch/lib/python/AccessControl/Owned.py
U
Zope/branches/Zope-2_8-branch/lib/python/AccessControl/PermissionMapping.py
U Zope/branches/Zope-2_8-branch/lib/python/AccessControl/Role.py
U Zope/branches/Zope-2_8-branch/lib/python/AccessControl/User.py
A Zope/branches/Zope-2_8-branch/lib/python/AccessControl/requestmethod.py
A Zope/branches/Zope-2_8-branch/lib/python/AccessControl/requestmethod.txt
A
Zope/branches/Zope-2_8-branch/lib/python/AccessControl/tests/test_requestmethod.py
U Zope/branches/Zope-2_8-branch/lib/python/OFS/DTMLMethod.py
U
Zope/branches/Zope-2_8-branch/lib/python/Products/PythonScripts/PythonScript.py
-=-
Modified: Zope/branches/Zope-2_8-branch/doc/CHANGES.txt
===
--- Zope/branches/Zope-2_8-branch/doc/CHANGES.txt 2007-03-20 09:03:57 UTC
(rev 73389)
+++ Zope/branches/Zope-2_8-branch/doc/CHANGES.txt 2007-03-20 09:05:56 UTC
(rev 73390)
@@ -8,6 +8,10 @@
Bugs fixed
+ - Protected various security mutators with a new postonly decorator.
+The decorator limits method publishing to POST requests only, and
+is a backport from Zope 2.11's requestmethod decorator factory.
+
- Collector #2263: 'field2ulines' did not convert empty string
correctly.
Modified: Zope/branches/Zope-2_8-branch/lib/python/AccessControl/Owned.py
===
--- Zope/branches/Zope-2_8-branch/lib/python/AccessControl/Owned.py
2007-03-20 09:03:57 UTC (rev 73389)
+++ Zope/branches/Zope-2_8-branch/lib/python/AccessControl/Owned.py
2007-03-20 09:05:56 UTC (rev 73390)
@@ -18,6 +18,7 @@
import Globals, urlparse, SpecialUsers, ExtensionClass
from AccessControl import getSecurityManager, Unauthorized
from Acquisition import aq_get, aq_parent, aq_base
+from requestmethod import postonly
UnownableOwner=[]
Modified:
Zope/branches/Zope-2_8-branch/lib/python/AccessControl/PermissionMapping.py
===
--- Zope/branches/Zope-2_8-branch/lib/python/AccessControl/PermissionMapping.py
2007-03-20 09:03:57 UTC (rev 73389)
+++ Zope/branches/Zope-2_8-branch/lib/python/AccessControl/PermissionMapping.py
2007-03-20 09:05:56 UTC (rev 73390)
@@ -26,10 +26,13 @@
from Owned import UnownableOwner
from Permission import pname
+from requestmethod import postonly
class RoleManager:
+# XXX: No security declarations?
+
def manage_getPermissionMapping(self):
"""Return the permission mapping for the object
@@ -54,6 +57,7 @@
a({'permission_name': ac_perms[0], 'class_permission': p})
return r
+@postonly
def manage_setPermissionMapping(self,
permission_names=[],
class_permissions=[], REQUEST=None):
Modified: Zope/branches/Zope-2_8-branch/lib/python/AccessControl/Role.py
===
--- Zope/branches/Zope-2_8-branch/lib/python/AccessControl/Role.py
2007-03-20 09:03:57 UTC (rev 73389)
+++ Zope/branches/Zope-2_8-branch/lib/python/AccessControl/Role.py
2007-03-20 09:05:56 UTC (rev 73390)
@@ -22,6 +22,7 @@
from App.Common import aq_base
from Permission import Permission
+from requestmethod import postonly
DEFAULTMAXLISTUSERS=250
@@ -131,6 +132,7 @@
help_topic='Security_Manage-Role.stx',
help_product='OFSP')
+@postonly
def manage_role(self, role_to_manage, permissions=[], REQUEST=None):
"""Change the permissions given to the given role.
"""
@@ -147,6 +149,7 @@
help_topic='Security_Manage-Acquisition.stx',
help_product='OFSP')
+@postonly
def manage_acquiredPermissions(self, permissions=[], REQUEST=None):
"""Change the permissions that acquire.
"""
@@ -166,6 +169,7 @@
help_topic='Security_Manage-Permission.stx',
help_product='OFSP')
+@postonly
def manage_permission(self, permission_to_manage,
roles=[], acquire=0, REQUEST=None):
"""Change the settings for the given permission.
@@ -202,6 +206,7 @@
else:
return apply(self._normal_manage_access,(), kw)
+@postonly
def manage_changePermissions(self, REQUEST):
"""Change all permissions settings, called by management screen.
"""
@@ -349,6 +354,7 @@
dict=self.__ac_local_roles__ or {}
retu
[Zope-Checkins] SVN: Zope/branches/2.9/ - Backport a postonly decorator from Zope trunk's requestmethod decorator factory.
Log message for revision 73389:
- Backport a postonly decorator from Zope trunk's requestmethod decorator
factory.
- Protect various security-setting-mutators with this decorator.
Changed:
U Zope/branches/2.9/doc/CHANGES.txt
U Zope/branches/2.9/lib/python/AccessControl/Owned.py
U Zope/branches/2.9/lib/python/AccessControl/PermissionMapping.py
U Zope/branches/2.9/lib/python/AccessControl/Role.py
U Zope/branches/2.9/lib/python/AccessControl/User.py
A Zope/branches/2.9/lib/python/AccessControl/requestmethod.py
A Zope/branches/2.9/lib/python/AccessControl/requestmethod.txt
A Zope/branches/2.9/lib/python/AccessControl/tests/test_requestmethod.py
U Zope/branches/2.9/lib/python/OFS/DTMLMethod.py
U Zope/branches/2.9/lib/python/Products/PythonScripts/PythonScript.py
-=-
Modified: Zope/branches/2.9/doc/CHANGES.txt
===
--- Zope/branches/2.9/doc/CHANGES.txt 2007-03-20 09:02:28 UTC (rev 73388)
+++ Zope/branches/2.9/doc/CHANGES.txt 2007-03-20 09:03:57 UTC (rev 73389)
@@ -8,6 +8,10 @@
Bugs fixed
+ - Protected various security mutators with a new postonly decorator.
+The decorator limits method publishing to POST requests only, and
+is a backport from Zope 2.11's requestmethod decorator factory.
+
- Collector #2288: @ and + should not be quoted when forming
request URLs in BaseRequest and HTTPRequest
Modified: Zope/branches/2.9/lib/python/AccessControl/Owned.py
===
--- Zope/branches/2.9/lib/python/AccessControl/Owned.py 2007-03-20 09:02:28 UTC
(rev 73388)
+++ Zope/branches/2.9/lib/python/AccessControl/Owned.py 2007-03-20 09:03:57 UTC
(rev 73389)
@@ -18,6 +18,7 @@
import Globals, urlparse, SpecialUsers, ExtensionClass
from AccessControl import getSecurityManager, Unauthorized
from Acquisition import aq_get, aq_parent, aq_base
+from requestmethod import postonly
from zope.interface import implements
from interfaces import IOwned
Modified: Zope/branches/2.9/lib/python/AccessControl/PermissionMapping.py
===
--- Zope/branches/2.9/lib/python/AccessControl/PermissionMapping.py
2007-03-20 09:02:28 UTC (rev 73388)
+++ Zope/branches/2.9/lib/python/AccessControl/PermissionMapping.py
2007-03-20 09:03:57 UTC (rev 73389)
@@ -28,11 +28,14 @@
from interfaces import IPermissionMappingSupport
from Owned import UnownableOwner
from Permission import pname
+from requestmethod import postonly
class RoleManager:
implements(IPermissionMappingSupport)
+
+# XXX: No security declarations?
def manage_getPermissionMapping(self):
"""Return the permission mapping for the object
@@ -58,6 +61,7 @@
a({'permission_name': ac_perms[0], 'class_permission': p})
return r
+@postonly
def manage_setPermissionMapping(self,
permission_names=[],
class_permissions=[], REQUEST=None):
Modified: Zope/branches/2.9/lib/python/AccessControl/Role.py
===
--- Zope/branches/2.9/lib/python/AccessControl/Role.py 2007-03-20 09:02:28 UTC
(rev 73388)
+++ Zope/branches/2.9/lib/python/AccessControl/Role.py 2007-03-20 09:03:57 UTC
(rev 73389)
@@ -24,6 +24,7 @@
from interfaces import IRoleManager
from Permission import Permission
+from requestmethod import postonly
DEFAULTMAXLISTUSERS=250
@@ -135,6 +136,7 @@
help_topic='Security_Manage-Role.stx',
help_product='OFSP')
+@postonly
def manage_role(self, role_to_manage, permissions=[], REQUEST=None):
"""Change the permissions given to the given role.
"""
@@ -151,6 +153,7 @@
help_topic='Security_Manage-Acquisition.stx',
help_product='OFSP')
+@postonly
def manage_acquiredPermissions(self, permissions=[], REQUEST=None):
"""Change the permissions that acquire.
"""
@@ -170,6 +173,7 @@
help_topic='Security_Manage-Permission.stx',
help_product='OFSP')
+@postonly
def manage_permission(self, permission_to_manage,
roles=[], acquire=0, REQUEST=None):
"""Change the settings for the given permission.
@@ -206,6 +210,7 @@
else:
return apply(self._normal_manage_access,(), kw)
+@postonly
def manage_changePermissions(self, REQUEST):
"""Change all permissions settings, called by management screen.
"""
@@ -353,6 +358,7 @@
dict=self.__ac_local_roles__ or {}
return tuple(dict.get(userid, []))
+@postonly
def manage_addLocalRoles(self, userid, roles, REQUEST=None
[Zope-Checkins] SVN: Zope/branches/2.10/ - Backport a postonly decorator from Zope trunk's requestmethod decorator factory.
Log message for revision 73388:
- Backport a postonly decorator from Zope trunk's requestmethod decorator
factory.
- Protect various security-setting-mutators with this decorator.
Changed:
U Zope/branches/2.10/doc/CHANGES.txt
U Zope/branches/2.10/lib/python/AccessControl/Owned.py
U Zope/branches/2.10/lib/python/AccessControl/PermissionMapping.py
U Zope/branches/2.10/lib/python/AccessControl/Role.py
U Zope/branches/2.10/lib/python/AccessControl/User.py
A Zope/branches/2.10/lib/python/AccessControl/requestmethod.py
A Zope/branches/2.10/lib/python/AccessControl/requestmethod.txt
A Zope/branches/2.10/lib/python/AccessControl/tests/test_requestmethod.py
U Zope/branches/2.10/lib/python/OFS/DTMLMethod.py
U Zope/branches/2.10/lib/python/Products/PythonScripts/PythonScript.py
-=-
Modified: Zope/branches/2.10/doc/CHANGES.txt
===
--- Zope/branches/2.10/doc/CHANGES.txt 2007-03-20 08:56:31 UTC (rev 73387)
+++ Zope/branches/2.10/doc/CHANGES.txt 2007-03-20 09:02:28 UTC (rev 73388)
@@ -8,6 +8,10 @@
Bugs fixed
+ - Protected various security mutators with a new postonly decorator.
+The decorator limits method publishing to POST requests only, and
+is a backport from Zope 2.11's requestmethod decorator factory.
+
- Collector #2289: restored compatibility with PTProfiler
- No longer opens a zodb connection every time a ProductDispatcher
Modified: Zope/branches/2.10/lib/python/AccessControl/Owned.py
===
--- Zope/branches/2.10/lib/python/AccessControl/Owned.py2007-03-20
08:56:31 UTC (rev 73387)
+++ Zope/branches/2.10/lib/python/AccessControl/Owned.py2007-03-20
09:02:28 UTC (rev 73388)
@@ -22,6 +22,7 @@
from AccessControl.Permissions import view_management_screens
from AccessControl.Permissions import take_ownership
from Acquisition import aq_get, aq_parent, aq_base
+from requestmethod import postonly
from zope.interface import implements
from interfaces import IOwned
@@ -177,6 +178,7 @@
return security.checkPermission('Take ownership', self)
security.declareProtected(take_ownership, 'manage_takeOwnership')
+@postonly
def manage_takeOwnership(self, REQUEST, RESPONSE, recursive=0):
"""Take ownership (responsibility) for an object.
@@ -197,6 +199,7 @@
RESPONSE.redirect(REQUEST['HTTP_REFERER'])
security.declareProtected(take_ownership, 'manage_changeOwnershipType')
+@postonly
def manage_changeOwnershipType(self, explicit=1,
RESPONSE=None, REQUEST=None):
"""Change the type (implicit or explicit) of ownership.
Modified: Zope/branches/2.10/lib/python/AccessControl/PermissionMapping.py
===
--- Zope/branches/2.10/lib/python/AccessControl/PermissionMapping.py
2007-03-20 08:56:31 UTC (rev 73387)
+++ Zope/branches/2.10/lib/python/AccessControl/PermissionMapping.py
2007-03-20 09:02:28 UTC (rev 73388)
@@ -28,11 +28,14 @@
from interfaces import IPermissionMappingSupport
from Owned import UnownableOwner
from Permission import pname
+from requestmethod import postonly
class RoleManager:
implements(IPermissionMappingSupport)
+
+# XXX: No security declarations?
def manage_getPermissionMapping(self):
"""Return the permission mapping for the object
@@ -58,6 +61,7 @@
a({'permission_name': ac_perms[0], 'class_permission': p})
return r
+@postonly
def manage_setPermissionMapping(self,
permission_names=[],
class_permissions=[], REQUEST=None):
Modified: Zope/branches/2.10/lib/python/AccessControl/Role.py
===
--- Zope/branches/2.10/lib/python/AccessControl/Role.py 2007-03-20 08:56:31 UTC
(rev 73387)
+++ Zope/branches/2.10/lib/python/AccessControl/Role.py 2007-03-20 09:02:28 UTC
(rev 73388)
@@ -27,6 +27,7 @@
from interfaces import IRoleManager
from Permission import Permission
+from requestmethod import postonly
DEFAULTMAXLISTUSERS=250
@@ -128,6 +129,7 @@
help_product='OFSP')
security.declareProtected(change_permissions, 'manage_role')
+@postonly
def manage_role(self, role_to_manage, permissions=[], REQUEST=None):
"""Change the permissions given to the given role.
"""
@@ -146,6 +148,7 @@
help_product='OFSP')
security.declareProtected(change_permissions, 'manage_acquiredPermissions')
+@postonly
def manage_acquiredPermissions(self, permissions=[], REQUEST=None):
"""Change the permissions that acquire.
"""
@@ -167,6 +170,7 @@
help_product='OFSP')
[Zope-Checkins] SVN: Zope/trunk/ - Add a request method decorator to AccessControl, creating decorators that limit a method to one request method only.
Log message for revision 73386:
- Add a request method decorator to AccessControl, creating decorators that
limit a method to one request method only.
- Protect various security-setting-mutators with a POST-only decorator.
Changed:
U Zope/trunk/doc/CHANGES.txt
U Zope/trunk/lib/python/AccessControl/Owned.py
U Zope/trunk/lib/python/AccessControl/PermissionMapping.py
U Zope/trunk/lib/python/AccessControl/Role.py
U Zope/trunk/lib/python/AccessControl/User.py
A Zope/trunk/lib/python/AccessControl/requestmethod.py
A Zope/trunk/lib/python/AccessControl/requestmethod.txt
A Zope/trunk/lib/python/AccessControl/tests/test_requestmethod.py
U Zope/trunk/lib/python/OFS/DTMLMethod.py
U Zope/trunk/lib/python/Products/PythonScripts/PythonScript.py
-=-
Modified: Zope/trunk/doc/CHANGES.txt
===
--- Zope/trunk/doc/CHANGES.txt 2007-03-20 08:07:42 UTC (rev 73385)
+++ Zope/trunk/doc/CHANGES.txt 2007-03-20 08:50:24 UTC (rev 73386)
@@ -51,6 +51,12 @@
Features added
+ - A new module, AccessControl.requestmethod, provides a decorator
+factory that limits decorated methods to one request method only.
+For example, marking a method with @requestmethod('POST') limits
+that method to POST requests only when published. Several
+security-related methods have been limited to POST only.
+
- PythonScripts: allow usage of Python's 'sets' module
- added 'fast_listen' directive to http-server and webdav-source-server
Modified: Zope/trunk/lib/python/AccessControl/Owned.py
===
--- Zope/trunk/lib/python/AccessControl/Owned.py2007-03-20 08:07:42 UTC
(rev 73385)
+++ Zope/trunk/lib/python/AccessControl/Owned.py2007-03-20 08:50:24 UTC
(rev 73386)
@@ -22,6 +22,7 @@
from AccessControl.Permissions import view_management_screens
from AccessControl.Permissions import take_ownership
from Acquisition import aq_get, aq_parent, aq_base
+from requestmethod import requestmethod
from zope.interface import implements
from interfaces import IOwned
@@ -177,6 +178,7 @@
return security.checkPermission('Take ownership', self)
security.declareProtected(take_ownership, 'manage_takeOwnership')
+@requestmethod('POST')
def manage_takeOwnership(self, REQUEST, RESPONSE, recursive=0):
"""Take ownership (responsibility) for an object.
@@ -197,6 +199,7 @@
RESPONSE.redirect(REQUEST['HTTP_REFERER'])
security.declareProtected(take_ownership, 'manage_changeOwnershipType')
+@requestmethod('POST')
def manage_changeOwnershipType(self, explicit=1,
RESPONSE=None, REQUEST=None):
"""Change the type (implicit or explicit) of ownership.
Modified: Zope/trunk/lib/python/AccessControl/PermissionMapping.py
===
--- Zope/trunk/lib/python/AccessControl/PermissionMapping.py2007-03-20
08:07:42 UTC (rev 73385)
+++ Zope/trunk/lib/python/AccessControl/PermissionMapping.py2007-03-20
08:50:24 UTC (rev 73386)
@@ -28,11 +28,14 @@
from interfaces import IPermissionMappingSupport
from Owned import UnownableOwner
from Permission import pname
+from requestmethod import requestmethod
class RoleManager:
implements(IPermissionMappingSupport)
+
+# XXX: No security declarations?
def manage_getPermissionMapping(self):
"""Return the permission mapping for the object
@@ -58,6 +61,7 @@
a({'permission_name': ac_perms[0], 'class_permission': p})
return r
+@requestmethod('POST')
def manage_setPermissionMapping(self,
permission_names=[],
class_permissions=[], REQUEST=None):
Modified: Zope/trunk/lib/python/AccessControl/Role.py
===
--- Zope/trunk/lib/python/AccessControl/Role.py 2007-03-20 08:07:42 UTC (rev
73385)
+++ Zope/trunk/lib/python/AccessControl/Role.py 2007-03-20 08:50:24 UTC (rev
73386)
@@ -28,6 +28,7 @@
from interfaces import IRoleManager
from Permission import Permission
+from requestmethod import requestmethod
DEFAULTMAXLISTUSERS=250
@@ -129,6 +130,7 @@
help_product='OFSP')
security.declareProtected(change_permissions, 'manage_role')
+@requestmethod('POST')
def manage_role(self, role_to_manage, permissions=[], REQUEST=None):
"""Change the permissions given to the given role.
"""
@@ -147,6 +149,7 @@
help_product='OFSP')
security.declareProtected(change_permissions, 'manage_acquiredPermissions')
+@requestmethod('POST')
def manage_acquiredPermissions(self, permissions=[], REQUEST=None):
"""Change the permissions that acquire.
"""
@
