Log message for revision 77049: Protect names from interface superclasses. o See http://www.zope.org/Collectors/Zope/2333
Changed: U Products.Five/branches/1.3/CHANGES.txt U Products.Five/branches/1.3/browser/metaconfigure.py U Products.Five/branches/1.3/tests/test_security.py -=- Modified: Products.Five/branches/1.3/CHANGES.txt =================================================================== --- Products.Five/branches/1.3/CHANGES.txt 2007-06-25 15:00:17 UTC (rev 77048) +++ Products.Five/branches/1.3/CHANGES.txt 2007-06-25 15:11:31 UTC (rev 77049) @@ -5,6 +5,9 @@ Five 1.3.9 (svn/unreleased) =========================== +* Five.browser.metaconfigure.page didn't protect names from interface + superclasses (http://www.zope.org/Collectors/Zope/2333) + * ObjectCopiedEvent was not dispatched to sublocations. (http://www.zope.org/Collectors/Zope/2307) Modified: Products.Five/branches/1.3/browser/metaconfigure.py =================================================================== --- Products.Five/branches/1.3/browser/metaconfigure.py 2007-06-25 15:00:17 UTC (rev 77048) +++ Products.Five/branches/1.3/browser/metaconfigure.py 2007-06-25 15:11:31 UTC (rev 77049) @@ -58,7 +58,7 @@ allowed_attributes = [] if allowed_interface is not None: for interface in allowed_interface: - allowed_attributes.extend(interface.names()) + allowed_attributes.extend(interface.names(all=True)) if attribute != '__call__': if template: Modified: Products.Five/branches/1.3/tests/test_security.py =================================================================== --- Products.Five/branches/1.3/tests/test_security.py 2007-06-25 15:00:17 UTC (rev 77048) +++ Products.Five/branches/1.3/tests/test_security.py 2007-06-25 15:11:31 UTC (rev 77049) @@ -22,9 +22,21 @@ from zope.interface import Interface, implements from AccessControl import ClassSecurityInfo -class IDummy(Interface): +class ISuperDummy(Interface): + """ + """ + + def superMethod(): + """ + """ + +class IDummy(ISuperDummy): """Just a marker interface""" + def foo(): + """ + """ + class Dummy1: implements(IDummy) def foo(self): pass @@ -32,6 +44,7 @@ def baz(self): pass def keg(self): pass def wot(self): pass + def superMethod(self): pass class Dummy2(Dummy1): security = ClassSecurityInfo() @@ -136,6 +149,78 @@ >>> tearDown() """ +def test_allowed_interface(): + """This test demonstrates that allowed_interface security declarations work + as expected. + + >>> from zope.app.testing.placelesssetup import setUp, tearDown + >>> setUp() + + Before we can make security declarations through ZCML, we need to + register the directive and the permission: + + >>> import Products.Five + >>> from Products.Five import zcml + >>> zcml.load_config('meta.zcml', Products.Five) + >>> import Products.Five.browser + >>> zcml.load_config('meta.zcml', Products.Five.browser) + >>> zcml.load_config('permissions.zcml', Products.Five) + + Now we provide some ZCML declarations for ``Dummy1``: + + >>> configure_zcml = ''' + ... <configure xmlns="http://namespaces.zope.org/zope" + ... xmlns:browser="http://namespaces.zope.org/browser"> + ... <browser:page + ... for="*" + ... name="testview" + ... permission="zope2.ViewManagementScreens" + ... class="Products.Five.tests.test_security.Dummy1" + ... allowed_interface="Products.Five.tests.test_security.IDummy" /> + ... </configure> + ... ''' + >>> zcml.load_string(configure_zcml) + + We are going to check that roles are correctly setup, so we need getRoles. + + >>> from AccessControl.ZopeSecurityPolicy import getRoles + >>> from AccessControl import ACCESS_PRIVATE + + Due to the nasty voodoo involved in Five's handling of view classes, + browser:page doesn't apply security to Dummy1, but rather to the "magic" + view class that is created at ZCML parse time. That means we can't just + instanciate with Dummy1() directly and expect a security-aware instance :(. + Instead, we'll have to actually lookup the view. The view was declared for + "*", so we just use an instance of Dummy1 ;-). + + Instanciate a Dummy1 object to test with. + + >>> from Products.Five.tests.test_security import Dummy1 + >>> dummy1 = Dummy1() + >>> from zope.component import getMultiAdapter + >>> from zope.publisher.browser import TestRequest + >>> request = TestRequest() + >>> view = getMultiAdapter((dummy1, request), name="testview") + + As 'foo' is defined in IDummy, it should have the 'Manager' role. + + >>> getRoles(view, 'foo', view.foo, ('Def',)) + ('Manager',) + + As 'wot' is not defined in IDummy, it should be private. + + >>> getRoles(view, 'wot', view.wot, ('Def',)) is ACCESS_PRIVATE + True + + But 'superMethod' is defined on IDummy by inheritance from ISuperDummy, and + so should have the 'Manager' role setup. + + >>> getRoles(view, 'superMethod', view.superMethod, ('Def',)) + ('Manager',) + + >>> tearDown() + """ + def test_checkPermission(): """ Test checkPermission _______________________________________________ Zope-Checkins maillist - Zope-Checkins@zope.org http://mail.zope.org/mailman/listinfo/zope-checkins