Log message for revision 114789:
make sure that the browser:view directive doesn't clobber security
declarations for attributes which are not included in allowed_attributes or
allowed_interface but which already have security declarations in a base
class's security info. This is needed to provide access to, e.g.,
restrictedTraverse on views that subclass Traversable
Changed:
U Zope/branches/2.12/doc/CHANGES.rst
U Zope/branches/2.12/src/Products/Five/browser/metaconfigure.py
U Zope/branches/2.12/src/Products/Five/browser/tests/pages.py
U Zope/branches/2.12/src/Products/Five/browser/tests/pages.txt
U Zope/branches/2.12/src/Products/Five/browser/tests/pages.zcml
U Zope/branches/2.12/src/Products/Five/security.py
-=-
Modified: Zope/branches/2.12/doc/CHANGES.rst
===
--- Zope/branches/2.12/doc/CHANGES.rst 2010-07-15 19:52:12 UTC (rev 114788)
+++ Zope/branches/2.12/doc/CHANGES.rst 2010-07-16 05:56:26 UTC (rev 114789)
@@ -11,6 +11,12 @@
Bugs Fixed
++
+- Fix support for non-public permission attributes in the
+ browser:view directive so that attributes which are not included in
+ allowed_interface or allowed_attributes but which have declarations from a
+ base class's security info don't get their security overwritten to be
+ private.
+
- LP #143755: Also catch TypeError when trying to determine an
indexable value for an object in PluginIndexes.common.UnIndex
Modified: Zope/branches/2.12/src/Products/Five/browser/metaconfigure.py
===
--- Zope/branches/2.12/src/Products/Five/browser/metaconfigure.py
2010-07-15 19:52:12 UTC (rev 114788)
+++ Zope/branches/2.12/src/Products/Five/browser/metaconfigure.py
2010-07-16 05:56:26 UTC (rev 114789)
@@ -315,7 +315,7 @@
_context.action(
discriminator = ('five:protectName', newclass, attr),
callable = protectName,
-args = (newclass, attr, CheckerPrivateId)
+args = (newclass, attr, CheckerPrivateId, False)
)
# Protect the class
Modified: Zope/branches/2.12/src/Products/Five/browser/tests/pages.py
===
--- Zope/branches/2.12/src/Products/Five/browser/tests/pages.py 2010-07-15
19:52:12 UTC (rev 114788)
+++ Zope/branches/2.12/src/Products/Five/browser/tests/pages.py 2010-07-16
05:56:26 UTC (rev 114789)
@@ -17,6 +17,7 @@
from Products.Five import BrowserView
from Products.Five.browser.pagetemplatefile import ViewPageTemplateFile
+from OFS.SimpleItem import SimpleItem
class SimpleView(BrowserView):
More docstring. Please Zope
@@ -40,6 +41,11 @@
def __call__(self):
return uI was __call__()'ed
+class PermissionView(BrowserView, SimpleItem):
+
+def __call__(self):
+return uI was __call__()'ed
+
class CallTemplate(BrowserView):
__call__ = ViewPageTemplateFile('falcon.pt')
Modified: Zope/branches/2.12/src/Products/Five/browser/tests/pages.txt
===
--- Zope/branches/2.12/src/Products/Five/browser/tests/pages.txt
2010-07-15 19:52:12 UTC (rev 114788)
+++ Zope/branches/2.12/src/Products/Five/browser/tests/pages.txt
2010-07-16 05:56:26 UTC (rev 114789)
@@ -275,6 +275,13 @@
aq_parent(aq_inner(context))
Folder at /test_folder_1_
+Make sure that methods which are not included in the allowed interface or
+attributes, but which already had security declarations from a base class,
+don't get those declarations overridden to be private. (The roles for
+restrictedTraverse should be None, indicating it is public.)
+
+ view.restrictedTraverse__roles__
+
High-level security
---
Modified: Zope/branches/2.12/src/Products/Five/browser/tests/pages.zcml
===
--- Zope/branches/2.12/src/Products/Five/browser/tests/pages.zcml
2010-07-15 19:52:12 UTC (rev 114788)
+++ Zope/branches/2.12/src/Products/Five/browser/tests/pages.zcml
2010-07-16 05:56:26 UTC (rev 114789)
@@ -237,7 +237,7 @@
browser:view
name=permission_view
for=Products.Five.tests.testing.simplecontent.ISimpleContent
- class=.pages.CallView
+ class=.pages.PermissionView
permission=zope2.ViewManagementScreens
/
Modified: Zope/branches/2.12/src/Products/Five/security.py
===
--- Zope/branches/2.12/src/Products/Five/security.py2010-07-15 19:52:12 UTC
(rev 114788)
+++ Zope/branches/2.12/src/Products/Five/security.py2010-07-16 05:56:26 UTC
(rev 114789)
@@ -127,12 +127,15 @@
setattr(klass, '__security__', security)
return security
-def protectName(klass, name, permission_id):
+def protectName(klass, name, permission_id,