def testProtectedPageViews(self):
component.provideUtility(Permission('p', 'P'), IPermission, 'p')
request = TestRequest()
self.assertEqual(
component.queryMultiAdapter((ob, request), name='test'), None)
xmlconfig(
StringIO(template % u'''
<include package="zope.security" file="meta.zcml" />
<permission id="zope.TestPermission" title="Test permission" />
<browser:pages
class="zope.browserpage.tests.test_page.V1"
for="zope.browserpage.tests.test_page.IC"
permission="zope.TestPermission"
>
<browser:page name="index.html" attribute="index" />
<browser:page name="action.html" attribute="action" />
</browser:pages>
'''))
v = component.getMultiAdapter((ob, request), name='index.html')
v = ProxyFactory(v)
zope.security.management.getInteraction().add(request)
self.assertRaises(Exception, v)
v = component.getMultiAdapter((ob, request), name='action.html')
v = ProxyFactory(v)
self.assertRaises(Exception, v)
def testFile(self):
path = os.path.join(tests_path, 'testfiles', 'test.pt')
self.assertEqual(component.queryAdapter(request, name='test'), None)
xmlconfig(
StringIO(template % '''
<browser:resource
name="index.html"
file="%s"
/>
''' % path))
r = component.getAdapter(request, name='index.html')
self.assertTrue(isinstance(r, FileResource))
r = ProxyFactory(r)
self.assertEqual(r.__name__, "index.html")
# Make sure we can access available attrs and not others
for n in ('GET', 'HEAD', 'publishTraverse', 'request', '__call__'):
getattr(r, n)
self.assertRaises(Exception, getattr, r, '_testData')
r = removeSecurityProxy(r)
self.assertEqual(r._testData(), open(path, 'rb').read())
def testFile(self):
path = os.path.join(tests_path, 'testfiles', 'test.pt')
self.assertEqual(zapi.queryAdapter(request, name='test'), None)
xmlconfig(StringIO(template %
'''
<browser:resource
name="index.html"
file="%s"
/>
''' % path
))
r = zapi.getAdapter(request, name='index.html')
self.assertEquals(r.__class__, FileResource)
r = ProxyFactory(r)
self.assertEqual(r.__name__, "index.html")
# Make sure we can access available attrs and not others
for n in ('GET', 'HEAD', 'publishTraverse', 'request', '__call__'):
getattr(r, n)
self.assertEqual(r.__name__, "index.html")
self.assertRaises(Exception, getattr, r, '_testData')
r = removeSecurityProxy(r)
self.assert_(r.__class__ is FileResource)
self.assertEqual(r._testData(), open(path, 'rb').read())
def test_both_wrapper_and_object_have_checkers_security_proxied(self):
from zope.proxy import ProxyBase
from zope.security.checker import CombinedChecker
from zope.security.checker import NamesChecker
from zope.security.checker import defineChecker
from zope.security.proxy import ProxyFactory
class Foo(object):
a = 'a'
fooChecker = NamesChecker(['a']) # a is public
defineChecker(Foo, fooChecker)
foo = Foo()
f_sec = ProxyFactory(foo)
class Wrapper(ProxyBase):
b = 'b'
__Security_checker__ = self._makeOne()
wrapperChecker = NamesChecker(['b']) # b is public
defineChecker(Wrapper, wrapperChecker)
w_sec = Wrapper(f_sec)
checker = w_sec.__Security_checker__
self.assertTrue(isinstance(checker, CombinedChecker))
checker.check(w_sec, 'a') # no raise
checker.check(w_sec, 'b') # no raise
def test__call__w_non_ILocation_multiple_args_extra_spacesuit(self):
from zope.security.proxy import ProxyFactory
from zope.security.proxy import removeSecurityProxy
factory = self._makeFactory()
ltaf = self._makeOne(factory)
class _NotAdapter(object):
pass
class _Extra(object):
pass
adapter = _NotAdapter()
extra = _Extra()
proxy = ProxyFactory(extra)
before = factory.__dict__.copy()
returned = ltaf(adapter, proxy)
self.assertFalse(returned is factory)
unwrapped = removeSecurityProxy(returned)
self.assertTrue('__parent__' not in unwrapped.__dict__)
self.assertIs(unwrapped, factory)
after = {
k: v
for k, v in unwrapped.__dict__.items()
if k not in ('_called_with', )
}
self.assertEqual(factory._called_with, (adapter, extra))
self.assertEqual(after, before) # no added attrs
def testInterfaceProtectedPage(self):
xmlconfig(
StringIO(template % u'''
<browser:page name="test"
class="zope.browserpage.tests.test_page.V1"
attribute="index"
for="zope.browserpage.tests.test_page.IC"
permission="zope.Public"
allowed_interface="zope.browserpage.tests.test_page.IV"
/>
'''))
v = component.getMultiAdapter((ob, self.request), name='test')
v = ProxyFactory(v)
self.assertEqual(v.index(), 'V1 here')
self.assertRaises(Exception, getattr, v, 'action')
def test__call__w_non_ILocation_w_spacesuit(self):
from zope.security.proxy import ProxyFactory
from zope.security.proxy import removeSecurityProxy
factory = self._makeFactory()
ltaf = self._makeOne(factory)
class _NotAdapter(object):
pass
adapter = _NotAdapter()
proxy = ProxyFactory(adapter)
before = factory.__dict__.copy()
returned = ltaf(proxy)
self.assertFalse(returned is factory)
ploc = removeSecurityProxy(returned)
self.assertIs(ploc.__parent__, adapter)
unwrapped = getProxiedObject(ploc)
self.assertIs(unwrapped, factory)
after = {
k: v
for k, v in unwrapped.__dict__.items()
if k not in ('_called_with', )
}
self.assertEqual(factory._called_with, (adapter, ))
self.assertEqual(after, before) # no added attrs
def testProxiedNewClassAsDictKey(self):
class C(object):
pass
d = {C: C()}
pC = ProxyFactory(C, self.c)
self.assertEqual(d[pC], d[C])
def get_sitting_items(sitting, request, include_actions=False):
items = []
if (sitting.status in IWorkflow(sitting).get_state_ids(
keys=["draft_agenda", "published_agenda"])):
order = "planned_order"
else:
order = "real_order"
schedulings = map(removeSecurityProxy,
sitting.items.batch(order_by=order, limit=None))
for scheduling in schedulings:
item = ProxyFactory(location_wrapped(scheduling.item, sitting))
props = IDCDescriptiveProperties.providedBy(item) and item or \
IDCDescriptiveProperties(item)
discussions = tuple(scheduling.discussions.values())
discussion = discussions and discussions[0] or None
truncated_discussion = None
if ((discussion is not None) and (discussion.body is not None)):
#truncate discussion to first hundred characters
t_discussion = discussion.body[0:100]
try:
#truncate discussion to first two lines
index = t_discussion.index("<br>")
index2 = t_discussion.index("<br>", index + 4)
truncated_discussion = t_discussion[0:index2] + "..."
except ValueError:
truncated_discussion = t_discussion + "..."
state_title = IWorkflow(item).get_state(item.status).title
item = removeSecurityProxy(item)
record = {
"title": props.title,
"description": props.description,
"name": stringKey(scheduling),
"status": item.status,
"type": item.type.capitalize,
"state_title": state_title,
"heading": True if item.type == "heading" else False,
#"category_id": scheduling.category_id,
#"category": scheduling.category,
"discussion": discussion,
"truncated_discussion": truncated_discussion,
"delete_url": "%s/delete" % url.absoluteURL(scheduling, request),
"url": url.absoluteURL(item, request),
}
if include_actions:
record["actions"] = get_scheduling_actions(scheduling, request)
record["workflow"] = get_workflow_actions(item, request)
discussion_actions = get_discussion_actions(discussion, request)
if discussion_actions:
assert len(discussion_actions) == 1
record["discussion_action"] = discussion_actions[0]
else:
record["discussion_action"] = None
items.append(record)
return items
def testDirectory(self):
path = os.path.join(tests_path, 'testfiles', 'subdir')
self.assertEqual(component.queryAdapter(request, name='dir'), None)
xmlconfig(
StringIO(template % '''
<browser:resourceDirectory
name="dir"
directory="%s"
/>
''' % path))
r = component.getAdapter(request, name='dir')
self.assertTrue(isinstance(r, DirectoryResource))
r = ProxyFactory(r)
self.assertEqual(r.__name__, "dir")
# Make sure we can access available attrs and not others
for n in ('publishTraverse', 'browserDefault', 'request', '__call__',
'get', '__getitem__'):
getattr(r, n)
self.assertRaises(Exception, getattr, r, 'directory_factory')
inexistent_dir = StringIO(template % '''
<browser:resourceDirectory
name="dir"
directory="does-not-exist"
/>
''')
self.assertRaises(ConfigurationError, xmlconfig, inexistent_dir)
def test__call__w_ILocation_w_spacesuit_w_existing_parent(self):
from zope.security.proxy import ProxyFactory
from zope.security.proxy import removeSecurityProxy
factory = self._makeFactory()
factory.__name__ = None
factory.__parent__ = parent = object()
directlyProvides(factory, ILocation)
ltaf = self._makeOne(factory)
class _Adapter(object):
pass
adapter = _Adapter()
proxy = ProxyFactory(adapter)
before = {
k: v
for k, v in factory.__dict__.items()
if k not in ('_called_with', '__parent__')
}
returned = ltaf(proxy)
self.assertFalse(returned is factory)
unwrapped = removeSecurityProxy(returned)
self.assertIs(unwrapped.__parent__, parent)
self.assertIs(unwrapped, factory)
after = {
k: v
for k, v in unwrapped.__dict__.items()
if k not in ('_called_with', '__parent__')
}
self.assertEqual(factory._called_with, (adapter, ))
self.assertEqual(after, before) # no added attrs
def testFile(self):
from zope.security.interfaces import ForbiddenAttribute
path = os.path.join(tests_path, 'testfiles', 'test.pt')
self.assertEqual(component.queryAdapter(request, name='test'), None)
xmlconfig(
StringIO(template % '''
<browser:resource
name="index.html"
file="%s"
/>
''' % path))
unwrapped_r = component.getAdapter(request, name='index.html')
self.assertTrue(isinstance(unwrapped_r, FileResource))
r = ProxyFactory(unwrapped_r)
self.assertEqual(r.__name__, "index.html")
# Make sure we can access available attrs and not others
for n in ('GET', 'HEAD', 'publishTraverse', 'request', '__call__'):
getattr(r, n)
self.assertRaises(ForbiddenAttribute, getattr, r, '_testData')
with open(path, 'rb') as f:
self.assertEqual(unwrapped_r._testData(), f.read())
def test__call__w_ILocation_w_spacesuit(self):
from zope.interface import directlyProvides
from zope.location import ILocation
from zope.security.proxy import getObject
from zope.security.proxy import ProxyFactory
from zope.security.proxy import removeSecurityProxy
factory = self._makeFactory()
factory.__parent__ = factory.__name__ = None
directlyProvides(factory, ILocation)
ltaf = self._makeOne(factory)
class _Adapter(object):
pass
adapter = _Adapter()
proxy = ProxyFactory(adapter)
before = dict([(k, v) for k, v in factory.__dict__.items()
if k not in ('_called_with', '__parent__')])
returned = ltaf(proxy)
self.assertFalse(returned is factory)
ploc = removeSecurityProxy(returned)
self.assertTrue(ploc.__parent__ is adapter)
unwrapped = getObject(ploc)
self.assertTrue(unwrapped is factory)
after = dict([(k, v) for k, v in unwrapped.__dict__.items()
if k not in ('_called_with', '__parent__')])
self.assertEqual(factory._called_with, (adapter,))
self.assertTrue(factory.__parent__ is adapter)
self.assertEqual(after, before) # no added attrs
def testInterfaceProtectedPage(self):
xmlconfig(StringIO(template %
'''
<browser:page name="test"
class="zope.app.component.tests.views.V1"
attribute="index"
for="zope.app.component.tests.views.IC"
permission="zope.Public"
allowed_interface="zope.app.component.tests.views.IV"
/>
'''
))
v = zapi.getMultiAdapter((ob, request), name='test')
v = ProxyFactory(v)
self.assertEqual(v.index(), 'V1 here')
self.assertRaises(Exception, getattr, v, 'action')
def testAttributeProtectedPage(self):
xmlconfig(
StringIO(template % u'''
<browser:page name="test"
class="zope.browserpage.tests.test_page.V2"
for="zope.browserpage.tests.test_page.IC"
attribute="action"
permission="zope.Public"
allowed_attributes="action2"
/>
'''))
v = component.getMultiAdapter((ob, self.request), name='test')
v = ProxyFactory(v)
self.assertEqual(v.action(), 'done')
self.assertEqual(v.action2(), 'done')
self.assertRaises(Exception, getattr, v, 'index')
def render(self, request, *args, **keywords):
instance = self.__parent__
debug_flags = request.debug
request = ProxyFactory(request)
instance = ProxyFactory(instance)
if args:
args = ProxyFactory(args)
kw = ProxyFactory(keywords)
namespace = self.pt_getContext(instance,
request,
args=args,
options=kw)
return self.pt_render(namespace,
showtal=debug_flags.showTAL,
sourceAnnotations=debug_flags.sourceAnnotations)
def testAttributeProtectedPage(self):
xmlconfig(StringIO(template %
'''
<browser:page name="test"
class="zope.app.publisher.browser.tests.test_directives.V2"
for="zope.app.component.tests.views.IC"
attribute="action"
permission="zope.Public"
allowed_attributes="action2"
/>
'''
))
v = zapi.getMultiAdapter((ob, request), name='test')
v = ProxyFactory(v)
self.assertEqual(v.action(), 'done')
self.assertEqual(v.action2(), 'done')
self.assertRaises(Exception, getattr, v, 'index')
def testAttributeProtectedView(self):
xmlconfig(
StringIO(template % u'''
<browser:view name="test"
class="zope.browserpage.tests.test_page.V2"
for="zope.browserpage.tests.test_page.IC"
permission="zope.Public"
allowed_attributes="action2"
>
<browser:page name="index.html" attribute="action" />
</browser:view>
'''))
v = component.getMultiAdapter((ob, self.request), name='test')
v = ProxyFactory(v)
page = v.publishTraverse(self.request, 'index.html')
self.assertEqual(page(), 'done')
self.assertEqual(v.action2(), 'done')
self.assertRaises(Exception, getattr, page, 'index')
def test_read_to_all(self):
"""`BugSubscriptionFilter`s can be read by anyone."""
bug_subscription_filter = BugSubscriptionFilter()
bug_subscription_filter.structural_subscription = self.subscription
bug_subscription_filter = ProxyFactory(bug_subscription_filter)
with person_logged_in(self.subscriber):
bug_subscription_filter.find_all_tags
with person_logged_in(self.factory.makePerson()):
bug_subscription_filter.find_all_tags
with anonymous_logged_in():
bug_subscription_filter.find_all_tags
def get_sitting_items(sitting, request, include_actions=False):
items = []
if sitting.status in [
sitting_wf_state[u'draft-agenda'].id,
sitting_wf_state[u'published-agenda'].id
]:
order = "planned_order"
else:
order = "real_order"
schedulings = map(removeSecurityProxy,
sitting.items.batch(order_by=order, limit=None))
for scheduling in schedulings:
item = ProxyFactory(location_wrapped(scheduling.item, sitting))
props = IDCDescriptiveProperties.providedBy(item) and item or \
IDCDescriptiveProperties(item)
discussions = tuple(scheduling.discussions.values())
discussion = discussions and discussions[0] or None
info = IWorkflowInfo(item, None)
state_title = info.workflow().workflow.states[item.status].title
record = {
'title': props.title,
'description': props.description,
'name': stringKey(scheduling),
'status': item.status,
'type': item.type.capitalize,
't': item.type,
'state_title': state_title,
#'category_id': scheduling.category_id,
#'category': scheduling.category,
'discussion': discussion,
'delete_url':
"%s/delete" % ui_url.absoluteURL(scheduling, request),
'url': ui_url.absoluteURL(item, request)
}
if include_actions:
record['actions'] = get_scheduling_actions(scheduling, request)
record['workflow'] = get_workflow_actions(item, request)
discussion_actions = get_discussion_actions(discussion, request)
if discussion_actions:
assert len(discussion_actions) == 1
record['discussion_action'] = discussion_actions[0]
else:
record['discussion_action'] = None
items.append(record)
return items
def test_security_should_allow_access_to_id_prefix(self):
import zeit.cms.testing
import zope.security.management
from zope.security.proxy import ProxyFactory
factory = zeit.content.video.testing.video_factory(self)
next(factory)
video = next(factory) # in repository
zope.security.management.endInteraction()
with zeit.cms.testing.interaction('zope.mgr'):
proxied = ProxyFactory(video)
self.assertEqual('vid', proxied.id_prefix)
def testAttributeProtectedView(self):
xmlconfig(StringIO(template %
'''
<browser:view name="test"
class="zope.browserpage.tests.test_page.V2"
for="zope.component.testfiles.views.IC"
permission="zope.Public"
allowed_attributes="action2"
>
<browser:page name="index.html" attribute="action" />
</browser:view>
'''
))
v = component.getMultiAdapter((ob, request), name='test')
v = ProxyFactory(v)
page = v.publishTraverse(request, 'index.html')
self.assertEqual(page(), 'done')
self.assertEqual(v.action2(), 'done')
self.assertRaises(Exception, getattr, page, 'index')
def testRepr(self):
self.assertEqual(repr(self.p), repr(self.x))
x = Something()
c = Checker()
c.ok = 0
p = ProxyFactory(x, c)
s = repr(p)
self.failUnless(
s.startswith("<security proxied %s.%s instance at" %
(x.__class__.__module__, x.__class__.__name__)), s)
def testProtectedtemplate(self):
path = os.path.join(tests_path, 'testfiles', 'test.pt')
request = TestRequest()
self.assertEqual(
component.queryMultiAdapter((ob, request), name='test'),
None)
xmlconfig(StringIO(template %
'''
<include package="zope.security" file="meta.zcml" />
<permission id="zope.TestPermission" title="Test permission" />
<browser:page
name="xxx.html"
template="%s"
permission="zope.TestPermission"
for="zope.component.testfiles.views.IC" />
''' % path
))
xmlconfig(StringIO(template %
'''
<browser:page
name="index.html"
template="%s"
permission="zope.Public"
for="zope.component.testfiles.views.IC" />
''' % path
))
v = component.getMultiAdapter((ob, request), name='xxx.html')
v = ProxyFactory(v)
zope.security.management.getInteraction().add(request)
self.assertRaises(Exception, v)
v = component.getMultiAdapter((ob, request), name='index.html')
v = ProxyFactory(v)
self.assertEqual(v().strip(), '<html><body><p>test</p></body></html>')
def _Engine(engine=None):
if engine is None:
engine = ZopeEngine()
engine = _create_base_engine(engine, ZopePathExpr)
engine.registerType('python', ZopePythonExpr)
# Using a proxy around sys.modules allows page templates to use
# modules for which security declarations have been made, but
# disallows execution of any import-time code for modules, which
# should not be allowed to happen during rendering.
engine.registerBaseName('modules', ProxyFactory(sys.modules))
return engine
def __call__(self):
# Set up the utility with an appropriate proxy.
# Note that this does not take into account other security
# directives on this content made later on during the execution
# of the zcml.
checker = Checker(self.permission_collector.get_permissions,
self.permission_collector.set_permissions)
component = ProxyFactory(self.component, checker=checker)
utility(self._context,
self.provides,
component=component,
name=self.name)
return ()
def find(self, *args, **kwargs):
"""See `IResultSet`.
:return: The decorated version of the returned result set.
"""
naked_result_set = removeSecurityProxy(self.result_set)
if naked_result_set is not self.result_set:
naked_new_result_set = naked_result_set.find(*args, **kwargs)
new_result_set = ProxyFactory(naked_new_result_set)
else:
new_result_set = self.result_set.find(*args, **kwargs)
return DecoratedResultSet(new_result_set, self.result_decorator,
self.pre_iter_hook, self.slice_info,
self.return_both)
def getSliceFromMemo(self, size, memo):
"""Return a result set for the given memo values.
Note that at least two other implementations are possible:
Instead of OR-combining the expressions returned by
whereExpressions(), these expressions could be used for
separate SELECTs which are then merged with UNION ALL.
We could also issue separate Storm queries for each
expression and combine the results here.
Which variant is more efficient is yet unknown; it may
differ between different queries.
"""
sort_expressions = self.getOrderBy()
where = self.whereExpressions(sort_expressions, memo)
where = reduce(Or, where)
# From storm.zope.interfaces.IResultSet.__doc__:
# - C{find()}, C{group_by()} and C{having()} are really
# used to configure result sets, so are mostly intended
# for use on the model side.
naked_result = removeSecurityProxy(self.resultset).find(where)
result = ProxyFactory(naked_result)
return result.config(limit=size)
def test_unops(self):
# We want the starting value of the expressions to be a proxy,
# but we don't want to create new proxies as a result of
# evaluation, so we have to extend the list of types that
# aren't proxied.
self.c.unproxied_types = str, int, long, float
for expr in self.unops:
x = 1
y = eval(expr)
# Make sure 'x' is a proxy always:
x = ProxyFactory(1, self.c)
z = eval(expr)
self.assertEqual(removeSecurityProxy(z), y,
"x=%r; expr=%r" % (x, expr))
self.shouldFail(lambda x: eval(expr), x)
def getSliceFromMemo(self, size, memo):
"""Return a result set for the given memo values.
Note that at least two other implementations are possible:
Instead of OR-combining the expressions returned by
whereExpressions(), these expressions could be used for
separate SELECTs which are then merged with UNION ALL.
We could also issue separate Storm queries for each
expression and combine the results here.
Which variant is more efficient is yet unknown; it may
differ between different queries.
"""
sort_expressions = self.getOrderBy()
where = self.whereExpressions(sort_expressions, memo)
where = reduce(Or, where)
# From storm.zope.interfaces.IResultSet.__doc__:
# - C{find()}, C{group_by()} and C{having()} are really
# used to configure result sets, so are mostly intended
# for use on the model side.
naked_result = removeSecurityProxy(self.resultset).find(where)
result = ProxyFactory(naked_result)
return result.config(limit=size)
def test_write_to_subscribers(self):
"""`BugSubscriptionFilter`s can only be modifed by subscribers."""
bug_subscription_filter = BugSubscriptionFilter()
bug_subscription_filter.structural_subscription = self.subscription
bug_subscription_filter = ProxyFactory(bug_subscription_filter)
# The subscriber can edit the filter.
with person_logged_in(self.subscriber):
bug_subscription_filter.find_all_tags = True
# Any other person is denied rights to edit the filter.
with person_logged_in(self.factory.makePerson()):
self.assertRaises(Unauthorized, setattr, bug_subscription_filter,
"find_all_tags", True)
# Anonymous users are also denied.
with anonymous_logged_in():
self.assertRaises(Unauthorized, setattr, bug_subscription_filter,
"find_all_tags", True)
def test_delete_by_subscribers(self):
"""`BugSubscriptionFilter`s can only be deleted by subscribers."""
bug_subscription_filter = BugSubscriptionFilter()
bug_subscription_filter.structural_subscription = self.subscription
bug_subscription_filter = ProxyFactory(bug_subscription_filter)
# Anonymous users are denied rights to delete the filter.
with anonymous_logged_in():
self.assertRaises(Unauthorized, getattr, bug_subscription_filter,
"delete")
# Any other person is also denied.
with person_logged_in(self.factory.makePerson()):
self.assertRaises(Unauthorized, getattr, bug_subscription_filter,
"delete")
# The subscriber can delete the filter.
with person_logged_in(self.subscriber):
bug_subscription_filter.delete()
def test_write_to_any_user_when_no_subscription(self):
"""
`BugSubscriptionFilter`s can be modifed by any logged-in user when
there is no related subscription.
"""
bug_subscription_filter = BugSubscriptionFilter()
bug_subscription_filter = ProxyFactory(bug_subscription_filter)
# The subscriber can edit the filter.
with person_logged_in(self.subscriber):
bug_subscription_filter.find_all_tags = True
# Any other person can edit the filter.
with person_logged_in(self.factory.makePerson()):
bug_subscription_filter.find_all_tags = True
# Anonymous users are denied rights to edit the filter.
with anonymous_logged_in():
self.assertRaises(Unauthorized, setattr, bug_subscription_filter,
"find_all_tags", True)
def testFactory(self):
self.assertEqual(component.queryAdapter(request, name='index.html'),
None)
xmlconfig(
StringIO(template % '''
<browser:resource
name="index.html"
factory="
zope.browserresource.tests.test_directives.MyResource"
/>
'''))
r = component.getAdapter(request, name='index.html')
self.assertEquals(r.__class__, MyResource)
r = ProxyFactory(r)
self.assertEqual(r.__name__, "index.html")
def publishTraverse(self, request, name):
# this is the primary condition; traverse to ``name`` by
# looking up methods on this class
try:
method = getattr(self.context, "get_%s" % name)
except AttributeError:
# fall back to default traversal (view lookup)
def method():
return super(SchedulingContextTraverser,
self).publishTraverse(request, name)
obj = method()
assert ILocation.providedBy(obj), obj
log.debug("SchedulingContextTraverser.publishTraverse: " \
"self=%s context=%s name=%s obj=%s" % (self, self.context, name, obj))
return ProxyFactory(
LocationProxy(removeSecurityProxy(obj),
container=self.context,
name=name))
def testAttributeProtectedView(self):
xmlconfig.file("xmlrpc.zcml", xmlrpc.tests)
v = component.getMultiAdapter((ob, request), name='test3')
v = ProxyFactory(v)
self.assertEqual(v.action(), 'done')
self.assertRaises(Exception, getattr, v, 'index')
def testInterfaceProtectedView(self):
xmlconfig.file("xmlrpc.zcml", xmlrpc.tests)
v = component.getMultiAdapter((ob, request), name='test2')
v = ProxyFactory(v)
self.assertEqual(v.index(), 'V1 here')
self.assertRaises(Exception, getattr, v, 'action')
class ProxyTests(unittest.TestCase):
def setUp(self):
self.x = Something()
self.c = Checker()
self.p = ProxyFactory(self.x, self.c)
def shouldFail(self, *args):
self.c.ok = 0
self.assertRaises(RuntimeError, *args)
self.c.ok = 1
def testDerivation(self):
self.assert_(isinstance(self.p, proxy))
def testStr(self):
self.assertEqual(str(self.p), str(self.x))
x = Something()
c = Checker()
c.ok = 0
p = ProxyFactory(x, c)
s = str(p)
self.failUnless(s.startswith(
"<security proxied %s.%s instance at"
% (x.__class__.__module__, x.__class__.__name__)),
s)
def testRepr(self):
self.assertEqual(repr(self.p), repr(self.x))
x = Something()
c = Checker()
c.ok = 0
p = ProxyFactory(x, c)
s = repr(p)
self.failUnless(s.startswith(
"<security proxied %s.%s instance at"
% (x.__class__.__module__, x.__class__.__name__)),
s)
def testGetAttrOK(self):
self.assertEqual(removeSecurityProxy(self.p.foo), [1,2,3])
def testGetAttrFail(self):
self.assertRaises(RuntimeError, lambda: self.p.bar)
def testSetAttrOK(self):
self.p.foo = 42
self.assertEqual(self.p.foo, 42)
def testSetAttrFail(self):
def doit(): self.p.bar = 42
self.assertRaises(RuntimeError, doit)
def testGetItemOK(self):
self.assertEqual(self.p[0], 1)
def testGetItemFail(self):
self.shouldFail(lambda: self.p[10])
def testSetItemOK(self):
self.p[0] = 42
self.assertEqual(self.p[0], 42)
def testSetItemFail(self):
def doit(): del self.p[0]
self.shouldFail(doit)
def testDelItemOK(self):
self.p[0] = 42
self.assertEqual(self.p[0], 42)
del self.p[0]
self.shouldFail(lambda: self.p[0])
def testDelItemFail(self):
def doit(): self.p[10] = 42
self.shouldFail(doit)
def testCallOK(self):
self.assertEqual(self.p(None), 42)
def testCallFail(self):
self.shouldFail(self.p, None)
def testRichCompareOK(self):
self.failUnless(self.p == self.x)
def testRichCompareFail(self):
self.shouldFail(lambda: self.p == self.x)
def testIterOK(self):
self.assertEqual(removeSecurityProxy(iter(self.p)), self.x)
def testIterFail(self):
self.shouldFail(iter, self.p)
def testNextOK(self):
self.assertEqual(self.p.next(), 42)
def testNextFail(self):
self.shouldFail(self.p.next)
def testCompareOK(self):
self.assertEqual(cmp(self.p, self.x), 0)
def testCompareFail(self):
self.shouldFail(cmp, self.p, self.x)
def testHashOK(self):
self.assertEqual(hash(self.p), hash(self.x))
def testHashFail(self):
self.shouldFail(hash, self.p)
def testNonzeroOK(self):
self.assertEqual(not self.p, 0)
def testNonzeroFail(self):
self.shouldFail(lambda: not self.p)
def testLenOK(self):
self.assertEqual(len(self.p), 42)
def testLenFail(self):
self.shouldFail(len, self.p)
def testSliceOK(self):
self.assertEqual(removeSecurityProxy(self.p[:]), [42])
def testSliceFail(self):
self.shouldFail(lambda: self.p[:])
def testSetSliceOK(self):
self.p[:] = [42]
def testSetSliceFail(self):
def doit(): self.p[:] = [42]
self.shouldFail(doit)
def testContainsOK(self):
self.failUnless(42 in self.p)
def testContainsFail(self):
self.shouldFail(lambda: 42 in self.p)
def testGetObject(self):
self.assertEqual(self.x, removeSecurityProxy(self.p))
def testGetChecker(self):
self.assertEqual(self.c, getChecker(self.p))
def testProxiedClassicClassAsDictKey(self):
class C(object):
pass
d = {C: C()}
pC = ProxyFactory(C, self.c)
self.assertEqual(d[pC], d[C])
def testProxiedNewClassAsDictKey(self):
class C(object):
pass
d = {C: C()}
pC = ProxyFactory(C, self.c)
self.assertEqual(d[pC], d[C])
unops = [
"-x", "+x", "abs(x)", "~x",
"int(x)", "long(x)", "float(x)",
]
def test_unops(self):
# We want the starting value of the expressions to be a proxy,
# but we don't want to create new proxies as a result of
# evaluation, so we have to extend the list of types that
# aren't proxied.
self.c.unproxied_types = str, int, long, float
for expr in self.unops:
x = 1
y = eval(expr)
# Make sure 'x' is a proxy always:
x = ProxyFactory(1, self.c)
z = eval(expr)
self.assertEqual(removeSecurityProxy(z), y,
"x=%r; expr=%r" % (x, expr))
self.shouldFail(lambda x: eval(expr), x)
def test_odd_unops(self):
# unops that don't return a proxy
P = self.c.proxy
for func in hex, oct, lambda x: not x:
self.assertEqual(func(P(100)), func(100))
self.shouldFail(func, P(100))
binops = [
"x+y", "x-y", "x*y", "x/y", "divmod(x, y)", "x**y", "x//y",
"x<<y", "x>>y", "x&y", "x|y", "x^y",
]
def test_binops(self):
P = self.c.proxy
for expr in self.binops:
first = 1
for x in [1, P(1)]:
for y in [2, P(2)]:
if first:
z = eval(expr)
first = 0
else:
self.assertEqual(removeSecurityProxy(eval(expr)), z,
"x=%r; y=%r; expr=%r" % (x, y, expr))
self.shouldFail(lambda x, y: eval(expr), x, y)
def test_inplace(self):
# TODO: should test all inplace operators...
P = self.c.proxy
pa = P(1)
pa += 2
self.assertEqual(removeSecurityProxy(pa), 3)
a = [1, 2, 3]
pa = qa = P(a)
pa += [4, 5, 6]
self.failUnless(pa is qa)
self.assertEqual(a, [1, 2, 3, 4, 5, 6])
def doit():
pa = P(1)
pa += 2
self.shouldFail(doit)
pa = P(2)
pa **= 2
self.assertEqual(removeSecurityProxy(pa), 4)
def doit():
pa = P(2)
pa **= 2
self.shouldFail(doit)
def test_coerce(self):
P = self.c.proxy
# Before 2.3, coerce() of two proxies returns them unchanged
import sys
fixed_coerce = sys.version_info >= (2, 3, 0)
x = P(1)
y = P(2)
a, b = coerce(x, y)
self.failUnless(a is x and b is y)
x = P(1)
y = P(2.1)
a, b = coerce(x, y)
self.failUnless(removeSecurityProxy(a) == 1.0 and b is y)
if fixed_coerce:
self.failUnless(type(removeSecurityProxy(a)) is float and b is y)
x = P(1.1)
y = P(2)
a, b = coerce(x, y)
self.failUnless(a is x and removeSecurityProxy(b) == 2.0)
if fixed_coerce:
self.failUnless(a is x and type(removeSecurityProxy(b)) is float)
x = P(1)
y = 2
a, b = coerce(x, y)
self.failUnless(a is x and b is y)
x = P(1)
y = 2.1
a, b = coerce(x, y)
self.failUnless(type(removeSecurityProxy(a)) is float and b is y)
x = P(1.1)
y = 2
a, b = coerce(x, y)
self.failUnless(a is x and type(removeSecurityProxy(b)) is float)
x = 1
y = P(2)
a, b = coerce(x, y)
self.failUnless(a is x and b is y)
x = 1.1
y = P(2)
a, b = coerce(x, y)
self.failUnless(a is x and type(removeSecurityProxy(b)) is float)
x = 1
y = P(2.1)
a, b = coerce(x, y)
self.failUnless(type(removeSecurityProxy(a)) is float and b is y)
def setUp(self):
self.x = Something()
self.c = Checker()
self.p = ProxyFactory(self.x, self.c)
