Log message for revision 71419: View methods which aren't explicitly declared as allowed must be marked private explicitly to avoid being web publishable.
Changed: U Products.Five/branches/1.4/CHANGES.txt U Products.Five/branches/1.4/browser/metaconfigure.py U Products.Five/branches/1.4/browser/tests/defaultview.zcml U Products.Five/branches/1.4/browser/tests/pages.txt U Products.Five/branches/1.4/browser/tests/pages.zcml U Products.Five/branches/1.4/browser/tests/pages_ftest.txt -=- Modified: Products.Five/branches/1.4/CHANGES.txt =================================================================== --- Products.Five/branches/1.4/CHANGES.txt 2006-12-05 15:32:28 UTC (rev 71418) +++ Products.Five/branches/1.4/CHANGES.txt 2006-12-05 18:13:34 UTC (rev 71419) @@ -8,6 +8,9 @@ Bugfixes -------- +* View methods which aren't explicitly declared as allowed must be marked + private explicitly to avoid being web publishable. + * site/metaconfigure: Local site hook now only applied once per class, so multiple <five:localsite> tags for the same class won't cause config errors. Modified: Products.Five/branches/1.4/browser/metaconfigure.py =================================================================== --- Products.Five/branches/1.4/browser/metaconfigure.py 2006-12-05 15:32:28 UTC (rev 71418) +++ Products.Five/branches/1.4/browser/metaconfigure.py 2006-12-05 18:13:34 UTC (rev 71419) @@ -19,6 +19,7 @@ $Id$ """ import os +from inspect import ismethod from zope.interface import Interface from zope.configuration.exceptions import ConfigurationError @@ -39,6 +40,7 @@ from Products.Five.browser.pagetemplatefile import ZopeTwoPageTemplateFile from Products.Five.metaclass import makeClass from Products.Five.security import getSecurityInfo, protectClass, protectName +from Products.Five.security import CheckerPrivateId from Globals import InitializeClass as initializeClass @@ -136,6 +138,19 @@ callable = protectName, args = (new_class, attr, permission) ) + # Make everything else private + allowed = [attribute] + (allowed_attributes or []) + private_attrs = [name for name in dir(new_class) + if (not name.startswith('_')) and + (name not in allowed) and + ismethod(getattr(new_class, name))] + for attr in private_attrs: + _context.action( + discriminator = ('five:protectName', new_class, attr), + callable = protectName, + args = (new_class, attr, CheckerPrivateId) + ) + # Protect the class _context.action( discriminator = ('five:initialize:class', new_class), callable = initializeClass, Modified: Products.Five/branches/1.4/browser/tests/defaultview.zcml =================================================================== --- Products.Five/branches/1.4/browser/tests/defaultview.zcml 2006-12-05 15:32:28 UTC (rev 71418) +++ Products.Five/branches/1.4/browser/tests/defaultview.zcml 2006-12-05 18:13:34 UTC (rev 71419) @@ -30,6 +30,11 @@ <five:defaultViewable class="Products.Five.tests.testing.simplecontent.IndexSimpleContent" /> + <class class="Products.Five.tests.testing.simplecontent.IIndexSimpleContent"> + <require permission="zope2.Public" + attributes="index_html"/> + </class> + <browser:defaultView for="Products.Five.tests.testing.simplecontent.IIndexSimpleContent" name="index_html" Modified: Products.Five/branches/1.4/browser/tests/pages.txt =================================================================== --- Products.Five/branches/1.4/browser/tests/pages.txt 2006-12-05 15:32:28 UTC (rev 71418) +++ Products.Five/branches/1.4/browser/tests/pages.txt 2006-12-05 18:13:34 UTC (rev 71419) @@ -279,7 +279,7 @@ >>> self.login('manager') Being logged in as a manager again, we find that the protected pages -are not accessible to us: +are accessible to us: >>> for view_name in protected_view_names: ... checkRestricted( @@ -290,7 +290,13 @@ ... self.folder, ... 'context.restrictedTraverse("testoid/eagle.method").eagle()') +Even when logged in though the private methods should not be accessible: + >>> checkUnauthorized( self.folder, + ... 'context.restrictedTraverse("testoid/eagle.method").mouse()') + + + Other ----- Modified: Products.Five/branches/1.4/browser/tests/pages.zcml =================================================================== --- Products.Five/branches/1.4/browser/tests/pages.zcml 2006-12-05 15:32:28 UTC (rev 71418) +++ Products.Five/branches/1.4/browser/tests/pages.zcml 2006-12-05 18:13:34 UTC (rev 71419) @@ -19,7 +19,7 @@ for="Products.Five.tests.testing.simplecontent.ISimpleContent" class=".pages.SimpleView" name="eagle.method" - permission="zope2.ViewManagementScreens" + permission="zope2.View" allowed_attributes="eagle" /> Modified: Products.Five/branches/1.4/browser/tests/pages_ftest.txt =================================================================== --- Products.Five/branches/1.4/browser/tests/pages_ftest.txt 2006-12-05 15:32:28 UTC (rev 71418) +++ Products.Five/branches/1.4/browser/tests/pages_ftest.txt 2006-12-05 18:13:34 UTC (rev 71419) @@ -81,6 +81,13 @@ ... status = response.getStatus() ... self.failUnless(status == 401, (status, 401, view_name)) +Methods of views which were not explicitly declared as allowed should not be +accessible TTW, even if we have the permission to render the view: + + >>> response = self.publish('/test_folder_1_/testoid/eagle.method/mouse', + ... basic='viewer:secret') + >>> self.assertEqual(response.getStatus(), 401) + The same should apply for the user if he has all other permissions except 'View management screens': @@ -122,6 +129,7 @@ ... self.failUnless(status == 200, (status, 200, view_name)) + Miscellaneous ------------- _______________________________________________ Zope-Checkins maillist - Zope-Checkins@zope.org http://mail.zope.org/mailman/listinfo/zope-checkins