[Zope3-checkins] SVN: Zope3/trunk/src/zope/app/pagelet/ Fix permission for pagelets

Roger Ineichen roger at projekt01.ch
Thu Mar 17 21:04:07 EST 2005


Log message for revision 29536:
  Fix permission for pagelets

Changed:
  U   Zope3/trunk/src/zope/app/pagelet/collector.py
  U   Zope3/trunk/src/zope/app/pagelet/metaconfigure.py
  U   Zope3/trunk/src/zope/app/pagelet/tests/__init__.py

-=-
Modified: Zope3/trunk/src/zope/app/pagelet/collector.py
===================================================================
--- Zope3/trunk/src/zope/app/pagelet/collector.py	2005-03-17 22:44:37 UTC (rev 29535)
+++ Zope3/trunk/src/zope/app/pagelet/collector.py	2005-03-18 02:04:06 UTC (rev 29536)
@@ -18,7 +18,9 @@
 __docformat__ = 'restructuredtext'
 
 from zope.interface import implements
-from zope.interface import directlyProvides
+from zope.proxy import isProxy
+from zope.security import canAccess
+from zope.security.interfaces import Unauthorized
 
 from zope.app import zapi
 
@@ -30,17 +32,18 @@
 
 class MacrosCollector(object):
     """Replaceable sample implementation of IMacrosCollector.
-    
+
     Collects pagelets from the site manager.
     Pagelet adapters are registred on context, request, view and slot
     interfaces. Use your own IMacrosCollector implementation for
     to support a layout manager.
 
     Imports:
-    
+
         >>> from zope.interface import Interface
+        >>> from zope.security.checker import defineChecker
         >>> from zope.publisher.browser import TestRequest
-        >>> from zope.publisher.interfaces.browser import IBrowserRequest
+        >>> from zope.publisher.interfaces.browser import IDefaultBrowserLayer
         >>> from zope.component.interfaces import IView
         >>> from zope.app.publisher.browser import BrowserView
         >>> from zope.app.pagelet.interfaces import IPagelet
@@ -48,10 +51,10 @@
         >>> from zope.app.pagelet.tests import TestPagelet
         >>> from zope.app.pagelet.tests import TestContext
         >>> from zope.app.pagelet.tests import TestSlot
+        >>> from zope.app.pagelet.tests import testChecker
 
     Setup pagelet:
 
-        >>> ob = TestContext()
         >>> name = 'testpagelet'
         >>> factory = TestPagelet
 
@@ -59,13 +62,15 @@
 
         >>> from zope.app.testing import placelesssetup, ztapi
         >>> placelesssetup.setUp()
+        >>> defineChecker(factory, testChecker)
         >>> gsm = zapi.getGlobalSiteManager()
         >>> gsm.provideAdapter(
-        ...        (Interface, IBrowserRequest, IView, IPageletSlot)
+        ...        (Interface, IDefaultBrowserLayer, IView, IPageletSlot)
         ...        , IPagelet, name, factory)
 
     Setup macros collector:
-        
+
+        >>> ob = TestContext()
         >>> request = TestRequest()
         >>> view = BrowserView(ob, request)
         >>> slot = TestSlot()
@@ -92,19 +97,20 @@
         self.request = request
         self.view = view
         self.slot = slot
-        
+
     def macros(self):
         macros = []
 
         # collect pagelets
         objects = self.context, self.request, self.view, self.slot
-        adapters = zapi.getAdapters(objects, IPagelet)
-        adapters.sort(lambda x, y: x[1].weight - y[1].weight)
+        pagelets = zapi.getAdapters(objects, IPagelet)
+        pagelets.sort(lambda x, y: x[1].weight - y[1].weight)
 
-        for name, pagelet in adapters:
-            # append pagelet macros 
-            macros.append(pagelet[name])
-            
+        for name, pagelet in pagelets:
+            # append pagelet macros if the permission is correct
+            if canAccess(pagelet, '__getitem__'):
+                macros.append(pagelet[name])
+
         return macros
 
 
@@ -119,12 +125,12 @@
     to support a layout manager which can return a macro dependent
     on additional rules.
 
+    Imports:
 
-    Imports:
-    
         >>> from zope.interface import Interface
+        >>> from zope.security.checker import defineChecker
         >>> from zope.publisher.browser import TestRequest
-        >>> from zope.publisher.interfaces.browser import IBrowserRequest
+        >>> from zope.publisher.interfaces.browser import IDefaultBrowserLayer
         >>> from zope.component.interfaces import IView
         >>> from zope.app.publisher.browser import BrowserView
         >>> from zope.app.pagelet.interfaces import IPagelet
@@ -132,10 +138,10 @@
         >>> from zope.app.pagelet.tests import TestPagelet
         >>> from zope.app.pagelet.tests import TestContext
         >>> from zope.app.pagelet.tests import TestSlot
+        >>> from zope.app.pagelet.tests import testChecker
 
     Setup pagelet:
 
-        >>> ob = TestContext()
         >>> name = 'testpagelet'
         >>> factory = TestPagelet
 
@@ -143,13 +149,15 @@
 
         >>> from zope.app.testing import placelesssetup, ztapi
         >>> placelesssetup.setUp()
+        >>> defineChecker(factory, testChecker)
         >>> gsm = zapi.getGlobalSiteManager()
         >>> gsm.provideAdapter(
-        ...        (Interface, IBrowserRequest, IView, IPageletSlot)
+        ...        (Interface, IDefaultBrowserLayer, IView, IPageletSlot)
         ...        , IPagelet, name, factory)
 
     Setup macros collector:
-        
+
+        >>> ob = TestContext()
         >>> request = TestRequest()
         >>> view = BrowserView(ob, request)
         >>> slot = TestSlot()
@@ -182,7 +190,11 @@
 
         # collect a single pagelet which is a pagelet
         objects = self.context, self.request, self.view, self.slot
-        adapter = zapi.getMultiAdapter(objects, IPagelet, key)
-            
-        return adapter[key]
-
+        pagelet = zapi.getMultiAdapter(objects, IPagelet, key)
+        
+        # rasie Unauthorized exception if we don't have the permission for 
+        # calling the pagelet's macro code
+        if canAccess(pagelet, '__getitem__'):
+            return pagelet[key]
+        else:
+            raise Unauthorized(key)

Modified: Zope3/trunk/src/zope/app/pagelet/metaconfigure.py
===================================================================
--- Zope3/trunk/src/zope/app/pagelet/metaconfigure.py	2005-03-17 22:44:37 UTC (rev 29535)
+++ Zope3/trunk/src/zope/app/pagelet/metaconfigure.py	2005-03-18 02:04:06 UTC (rev 29536)
@@ -72,7 +72,7 @@
         self.view = view
 
     def __getitem__(self, name):
-        """Get the macro by name."""
+        """Get the zpt code defined in 'define-macro' by name."""
         return self._template.macros[name]
 
     def _getWeight (self):
@@ -89,7 +89,7 @@
     required = {}
 
     # set permission checker
-    permission = _handle_permission(_context, permission)
+    permission = _handle_permission(permission)
 
     if not name:
         raise ConfigurationError("Must specify name.")
@@ -104,12 +104,10 @@
     if not os.path.isfile(template):
         raise ConfigurationError("No such file", template)
 
-    required['__getitem__'] = permission
-
     new_class = PageletClass(template, weight, bases=(simplepagelet, ))
 
     # set permissions
-    for n in ('__getitem__', '__call__', 'weight'):
+    for n in ('__getitem__', 'weight'):
         required[n] = permission
 
     #register interface
@@ -148,7 +146,7 @@
             args = (iface, baseIface)
             )
 
-def _handle_permission(_context, permission):
+def _handle_permission(permission):
     if permission == 'zope.Public':
         permission = CheckerPublic
     return permission

Modified: Zope3/trunk/src/zope/app/pagelet/tests/__init__.py
===================================================================
--- Zope3/trunk/src/zope/app/pagelet/tests/__init__.py	2005-03-17 22:44:37 UTC (rev 29535)
+++ Zope3/trunk/src/zope/app/pagelet/tests/__init__.py	2005-03-18 02:04:06 UTC (rev 29536)
@@ -17,6 +17,7 @@
 """
 __docformat__ = 'restructuredtext'
 
+import sys
 from zope.interface import Interface, implements
 
 from zope.security.checker import NamesChecker
@@ -44,7 +45,8 @@
 
     implements(IPagelet)
 
-    _template = ViewPageTemplateFile('testfiles/test_pagelet.pt')
+    frame = sys._getframe(1).f_globals
+    _template = ViewPageTemplateFile('testfiles/test_pagelet.pt', frame)
     _weight = 0
 
     def __init__(self, context, request, view, ignored):
@@ -81,4 +83,4 @@
         return "A demo string."
 
 
-testChecker = NamesChecker(('__getitem__', 'request', 'weight'))
+testChecker = NamesChecker(['__getitem__', '__call__', 'weight'])



More information about the Zope3-Checkins mailing list