[Zope-Checkins] CVS: Zope/lib/python/Zope/App - startup.py:1.1.6.2

Jim Fulton jim@zope.com
Tue, 10 Jun 2003 13:36:23 -0400


Update of /cvs-repository/Zope/lib/python/Zope/App
In directory cvs.zope.org:/tmp/cvs-serv16278

Modified Files:
      Tag: Zope-2_6-branch
	startup.py 
Log Message:
Changed the zpublisher_validated_hook to check whether the request
contains a version name. If it does, then we check whether the user
globally has permission to join/leave versions. If they don't, we
clear cookie and raise Unauthorized. This will abort any changes that
might have been made during traversal. (If some traversal code makes
changes and commits them, then we still lose and probably deserve to.)


=== Zope/lib/python/Zope/App/startup.py 1.1.6.1 => 1.1.6.2 ===
--- Zope/lib/python/Zope/App/startup.py:1.1.6.1	Tue Oct 22 10:15:30 2002
+++ Zope/lib/python/Zope/App/startup.py	Tue Jun 10 13:36:23 2003
@@ -13,24 +13,26 @@
 """Initialize the Zope Package and provide a published module
 """
 
-import sys
-import os
-import imp
-from types import StringType, ListType
-
-import Zope
+from AccessControl.SecurityManagement import newSecurityManager
+from AccessControl.SecurityManagement import noSecurityManager
+from AccessControl.SecurityManagement import getSecurityManager
 from Acquisition import aq_acquire
-import App.FindHomes
-import ZODB
-import ZODB.ZApplication
+from types import StringType, ListType
+from zExceptions import Unauthorized
+from zLOG import LOG, WARNING, INFO, BLATHER, log_time
 from ZODB.POSException import ConflictError
+import AccessControl.User
+import App.FindHomes
+import ExtensionClass
 import Globals
+import imp
 import OFS.Application
-import AccessControl.SecurityManagement
-import AccessControl.User
+import os
+import sys
+import ZODB
+import ZODB.ZApplication
+import Zope
 import ZPublisher
-import ExtensionClass
-from zLOG import LOG, WARNING, INFO, BLATHER, log_time
 
 
 def startup():
@@ -76,8 +78,7 @@
     DB.setClassFactory(ClassFactory.ClassFactory)
 
     # "Log on" as system user
-    AccessControl.SecurityManagement.newSecurityManager(
-        None, AccessControl.User.system)
+    newSecurityManager(None, AccessControl.User.system)
 
     # Set up the "app" object that automagically opens
     # connections
@@ -96,7 +97,7 @@
     application._p_jar.close()
 
     # "Log off" as system user
-    AccessControl.SecurityManagement.noSecurityManager()
+    noSecurityManager()
 
     # This is really ugly.  Please remember to remove Main.py before
     # Zope 2.7 and fix whatever breaks, if anything.
@@ -107,9 +108,23 @@
 
     Zope.zpublisher_transactions_manager = TransactionsManager()
     Zope.zpublisher_exception_hook = zpublisher_exception_hook
-    Zope.zpublisher_validated_hook = (
-        AccessControl.SecurityManagement.newSecurityManager)
-    Zope.__bobo_before__ = AccessControl.SecurityManagement.noSecurityManager
+    Zope.zpublisher_validated_hook = validated_hook
+    Zope.__bobo_before__ = noSecurityManager
+
+
+def validated_hook(request, user):
+    newSecurityManager(request, user)
+    if request.get(Globals.VersionNameName, ''):
+        object = user.aq_parent
+        if not getSecurityManager().checkPermission(
+            'Join/leave Versions', object):
+            request['RESPONSE'].setCookie(
+                Globals.VersionNameName,'No longer active',
+                expires="Mon, 25-Jan-1999 23:59:59 GMT",
+                path=(request['BASEPATH1'] or '/'),
+                )
+            raise Unauthorized, "You don't have permission to enter versions."
+    
 
 
 class RequestContainer(ExtensionClass.Base):