Log message for revision 114789: make sure that the browser:view directive doesn't clobber security declarations for attributes which are not included in allowed_attributes or allowed_interface but which already have security declarations in a base class's security info. This is needed to provide access to, e.g., restrictedTraverse on views that subclass Traversable
Changed: U Zope/branches/2.12/doc/CHANGES.rst U Zope/branches/2.12/src/Products/Five/browser/metaconfigure.py U Zope/branches/2.12/src/Products/Five/browser/tests/pages.py U Zope/branches/2.12/src/Products/Five/browser/tests/pages.txt U Zope/branches/2.12/src/Products/Five/browser/tests/pages.zcml U Zope/branches/2.12/src/Products/Five/security.py -=- Modified: Zope/branches/2.12/doc/CHANGES.rst =================================================================== --- Zope/branches/2.12/doc/CHANGES.rst 2010-07-15 19:52:12 UTC (rev 114788) +++ Zope/branches/2.12/doc/CHANGES.rst 2010-07-16 05:56:26 UTC (rev 114789) @@ -11,6 +11,12 @@ Bugs Fixed ++++++++++ +- Fix support for non-public permission attributes in the + browser:view directive so that attributes which are not included in + allowed_interface or allowed_attributes but which have declarations from a + base class's security info don't get their security overwritten to be + private. + - LP #143755: Also catch TypeError when trying to determine an indexable value for an object in PluginIndexes.common.UnIndex Modified: Zope/branches/2.12/src/Products/Five/browser/metaconfigure.py =================================================================== --- Zope/branches/2.12/src/Products/Five/browser/metaconfigure.py 2010-07-15 19:52:12 UTC (rev 114788) +++ Zope/branches/2.12/src/Products/Five/browser/metaconfigure.py 2010-07-16 05:56:26 UTC (rev 114789) @@ -315,7 +315,7 @@ _context.action( discriminator = ('five:protectName', newclass, attr), callable = protectName, - args = (newclass, attr, CheckerPrivateId) + args = (newclass, attr, CheckerPrivateId, False) ) # Protect the class Modified: Zope/branches/2.12/src/Products/Five/browser/tests/pages.py =================================================================== --- Zope/branches/2.12/src/Products/Five/browser/tests/pages.py 2010-07-15 19:52:12 UTC (rev 114788) +++ Zope/branches/2.12/src/Products/Five/browser/tests/pages.py 2010-07-16 05:56:26 UTC (rev 114789) @@ -17,6 +17,7 @@ """ from Products.Five import BrowserView from Products.Five.browser.pagetemplatefile import ViewPageTemplateFile +from OFS.SimpleItem import SimpleItem class SimpleView(BrowserView): """More docstring. Please Zope""" @@ -40,6 +41,11 @@ def __call__(self): return u"I was __call__()'ed" +class PermissionView(BrowserView, SimpleItem): + + def __call__(self): + return u"I was __call__()'ed" + class CallTemplate(BrowserView): __call__ = ViewPageTemplateFile('falcon.pt') Modified: Zope/branches/2.12/src/Products/Five/browser/tests/pages.txt =================================================================== --- Zope/branches/2.12/src/Products/Five/browser/tests/pages.txt 2010-07-15 19:52:12 UTC (rev 114788) +++ Zope/branches/2.12/src/Products/Five/browser/tests/pages.txt 2010-07-16 05:56:26 UTC (rev 114789) @@ -275,6 +275,13 @@ >>> aq_parent(aq_inner(context)) <Folder at /test_folder_1_> +Make sure that methods which are not included in the allowed interface or +attributes, but which already had security declarations from a base class, +don't get those declarations overridden to be private. (The roles for +restrictedTraverse should be None, indicating it is public.) + + >>> view.restrictedTraverse__roles__ + High-level security ------------------- Modified: Zope/branches/2.12/src/Products/Five/browser/tests/pages.zcml =================================================================== --- Zope/branches/2.12/src/Products/Five/browser/tests/pages.zcml 2010-07-15 19:52:12 UTC (rev 114788) +++ Zope/branches/2.12/src/Products/Five/browser/tests/pages.zcml 2010-07-16 05:56:26 UTC (rev 114789) @@ -237,7 +237,7 @@ <browser:view name="permission_view" for="Products.Five.tests.testing.simplecontent.ISimpleContent" - class=".pages.CallView" + class=".pages.PermissionView" permission="zope2.ViewManagementScreens" /> Modified: Zope/branches/2.12/src/Products/Five/security.py =================================================================== --- Zope/branches/2.12/src/Products/Five/security.py 2010-07-15 19:52:12 UTC (rev 114788) +++ Zope/branches/2.12/src/Products/Five/security.py 2010-07-16 05:56:26 UTC (rev 114789) @@ -127,12 +127,15 @@ setattr(klass, '__security__', security) return security -def protectName(klass, name, permission_id): +def protectName(klass, name, permission_id, override_existing_protection=True): """Protect the attribute 'name' on 'klass' using the given permission""" security = _getSecurity(klass) # Zope 2 uses string, not unicode yet name = str(name) + if not override_existing_protection and ('%s__roles__' % name) in dir(klass): + # There is already a declaration for this name from a base class. + return if permission_id == CheckerPublicId or permission_id is CheckerPublic: # Sometimes, we already get a processed permission id, which # can mean that 'zope.Public' has been interchanged for the _______________________________________________ Zope-Checkins maillist - Zope-Checkins@zope.org https://mail.zope.org/mailman/listinfo/zope-checkins