def filter(self, viewlets):
        """Filter the viewlets.

        ``viewlets`` is a list of tuples of the form (name, viewlet).

        This filters the viewlets just like Five, but also filters out
        viewlets by name from the local utility which implements the
        IViewletSettingsStorage interface.
        """
        results = []
        storage = queryUtility(IViewletSettingsStorage)
        if storage is None:
            return results
        skinname = self.context.getCurrentSkinName()
        hidden = frozenset(storage.getHidden(self.__name__, skinname))
        # Only return visible viewlets accessible to the principal
        # We need to wrap each viewlet in its context to make sure that
        # the object has a real context from which to determine owner
        # security.
        # Copied from Five
        for name, viewlet in viewlets:
            if IAcquirer.providedBy(viewlet):
                viewlet = viewlet.__of__(viewlet.context)
            if name not in hidden and guarded_hasattr(viewlet, 'render'):
                results.append((name, viewlet))
        return results
Example #2
0
    def __getitem__(self, name):
        """See zope.interface.common.mapping.IReadMapping"""
        # Find the viewlet
        viewlet = zope.component.queryMultiAdapter(
            (self.context, self.request, self.__parent__, self),
            interfaces.IViewlet,
            name=name)

        # If the viewlet was not found, then raise a lookup error
        if viewlet is None:
            raise zope.component.interfaces.ComponentLookupError(
                'No provider with name `%s` found.' % name)

        # Wrap the viewlet for security lookups
        viewlet = viewlet.__of__(viewlet.context)

        # If the viewlet cannot be accessed, then raise an
        # unauthorized error
        if not guarded_hasattr(viewlet, 'render'):
            raise zope.security.interfaces.Unauthorized(
                'You are not authorized to access the provider '
                'called `%s`.' % name)

        # Return the viewlet.
        return viewlet
Example #3
0
    def get_viewlet(self, manager_name, viewlet_name):
        # check visibility
        storage = queryUtility(IViewletSettingsStorage)
        if storage is None:
            return None

        skinname = self.context.getCurrentSkinName()

        hidden = frozenset(storage.getHidden(manager_name, skinname))
        if viewlet_name in hidden:
            return None

        # get viewlet instance
        manager = queryMultiAdapter((self.context, self.request, self),
                                    IViewletManager,
                                    name=manager_name)
        viewlet = queryMultiAdapter(
            (self.context, self.request, self, manager),
            IViewlet,
            name=viewlet_name)
        if viewlet is None:
            logger.debug('Viewlet tile {0} in manager {1}. '
                         'Was not found.'.format(viewlet_name, manager_name))
            return None

        # check permissions - same as in plone.app.viewletmanager
        if IAcquirer.providedBy(viewlet):
            viewlet = viewlet.__of__(viewlet.context)
        if not guarded_hasattr(viewlet, 'render'):
            logger.warn('Blocked attempt to render tile {0} in manager {1}. '
                        'Permission denied.'.format(viewlet_name,
                                                    manager_name))
            return None

        return viewlet
Example #4
0
    def filter(self, viewlets):
        """Filter the viewlets.

        ``viewlets`` is a list of tuples of the form (name, viewlet).

        This filters the viewlets just like Five, but also filters out
        viewlets by name from the local utility which implements the
        IViewletSettingsStorage interface.
        """
        results = []
        storage = queryUtility(IViewletSettingsStorage)
        if storage is None:
            return results
        skinname = self.context.getCurrentSkinName()
        hidden = frozenset(storage.getHidden(self.__name__, skinname))
        # Only return visible viewlets accessible to the principal
        # We need to wrap each viewlet in its context to make sure that
        # the object has a real context from which to determine owner
        # security.
        # Copied from Five
        for name, viewlet in viewlets:
            if IAcquirer.providedBy(viewlet):
                viewlet = viewlet.__of__(viewlet.context)
            if name not in hidden and guarded_hasattr(viewlet, 'render'):
                results.append((name, viewlet))
        return results
Example #5
0
    def test_property_sheet_security_on_permission(self):
        """ Added a test to make sure permissions are used into portal
        preference level. """
        write_permission = "Modify portal content"
        read_permission = "Manage portal"

        self._addProperty(
            "Preference",
            "test_property_sheet_security_on_permission Preference",
            property_id="preferred_toto",
            portal_type="Standard Property",
            preference=1,
            write_permission="Modify portal content",
            read_permission="Manage portal",
            elementary_type="string",
        )

        obj = self.portal.portal_preferences.newContent(portal_type="Preference")
        obj.enable()
        self.tic()

        self.assertTrue(guarded_hasattr(obj, "setPreferredToto"))
        obj.setPreferredToto("A TEST")
        self.assertTrue(guarded_hasattr(obj, "getPreferredToto"))

        obj.manage_permission(write_permission, [], 0)
        self.assertFalse(guarded_hasattr(obj, "setPreferredToto"))
        self.assertTrue(guarded_hasattr(obj, "getPreferredToto"))

        obj.manage_permission(write_permission, ["Manager"], 1)
        obj.manage_permission(read_permission, [], 0)
        self.assertTrue(guarded_hasattr(obj, "setPreferredToto"))
        self.assertFalse(guarded_hasattr(obj, "getPreferredToto"))

        obj.manage_permission(read_permission, ["Manager"], 1)

        self.tic()

        preference_tool = self.portal.portal_preferences
        self.assertTrue(guarded_hasattr(preference_tool, "getPreferredToto"))
        self.assertEqual("A TEST", preference_tool.getPreferredToto())

        preference_tool.manage_permission(write_permission, [], 0)
        self.assertTrue(guarded_hasattr(preference_tool, "getPreferredToto"))

        preference_tool.manage_permission(write_permission, ["Manager"], 1)
        preference_tool.manage_permission(read_permission, [], 0)
        obj.manage_permission(read_permission, [], 0)
        self.assertFalse(guarded_hasattr(preference_tool, "getPreferredToto"))

        preference_tool.manage_permission(read_permission, ["Manager"], 1)
Example #6
0
    def test_property_sheet_security_on_permission(self):
        """ Added a test to make sure permissions are used into portal
        preference level. """
        write_permission = 'Modify portal content'
        read_permission = 'Manage portal'

        self._addProperty(
            'Preference',
            'test_property_sheet_security_on_permission Preference',
            property_id='preferred_toto',
            portal_type='Standard Property',
            preference=1,
            write_permission='Modify portal content',
            read_permission='Manage portal',
            elementary_type='string')

        obj = self.portal.portal_preferences.newContent(
            portal_type='Preference')
        obj.enable()
        self.tic()

        self.assertTrue(guarded_hasattr(obj, 'setPreferredToto'))
        obj.setPreferredToto("A TEST")
        self.assertTrue(guarded_hasattr(obj, 'getPreferredToto'))

        obj.manage_permission(write_permission, [], 0)
        self.assertFalse(guarded_hasattr(obj, 'setPreferredToto'))
        self.assertTrue(guarded_hasattr(obj, 'getPreferredToto'))

        obj.manage_permission(write_permission, ['Manager'], 1)
        obj.manage_permission(read_permission, [], 0)
        self.assertTrue(guarded_hasattr(obj, 'setPreferredToto'))
        self.assertFalse(guarded_hasattr(obj, 'getPreferredToto'))

        obj.manage_permission(read_permission, ['Manager'], 1)

        self.tic()

        preference_tool = self.portal.portal_preferences
        self.assertTrue(guarded_hasattr(preference_tool, 'getPreferredToto'))
        self.assertEqual("A TEST", preference_tool.getPreferredToto())

        preference_tool.manage_permission(write_permission, [], 0)
        self.assertTrue(guarded_hasattr(preference_tool, 'getPreferredToto'))

        preference_tool.manage_permission(write_permission, ['Manager'], 1)
        preference_tool.manage_permission(read_permission, [], 0)
        obj.manage_permission(read_permission, [], 0)
        self.assertFalse(guarded_hasattr(preference_tool, 'getPreferredToto'))

        preference_tool.manage_permission(read_permission, ['Manager'], 1)
Example #7
0
 def filter(self, viewlets):
     results = []
     for name, viewlet in viewlets:
         if getattr(viewlet, 'available', True):
             viewlet = viewlet.__of__(viewlet.context)
             if guarded_hasattr(viewlet, 'render'):
                 results.append((name, viewlet))
     return results
Example #8
0
  def test_property_sheet_security_on_permission(self):
    """ Added a test to make sure permissions are used into portal
        preference level. """
    write_permission = 'Modify portal content'
    read_permission = 'Manage portal'

    self._addProperty('Preference',
        'test_property_sheet_security_on_permission Preference',
        property_id='preferred_toto',
        portal_type='Standard Property',
        preference=1,
        write_permission='Modify portal content',
        read_permission='Manage portal',
        elementary_type='string')

    obj = self.portal.portal_preferences.newContent(portal_type='Preference')
    obj.enable()
    transaction.commit()
    self.tic()
    
    self.assertTrue(guarded_hasattr(obj, 'setPreferredToto'))
    obj.setPreferredToto("A TEST")
    self.assertTrue(guarded_hasattr(obj, 'getPreferredToto'))

    obj.manage_permission(write_permission, [], 0)
    self.assertFalse(guarded_hasattr(obj, 'setPreferredToto'))
    self.assertTrue(guarded_hasattr(obj, 'getPreferredToto'))

    obj.manage_permission(write_permission, ['Manager'], 1)
    obj.manage_permission(read_permission, [], 0)
    self.assertTrue(guarded_hasattr(obj, 'setPreferredToto'))
    self.assertFalse(guarded_hasattr(obj, 'getPreferredToto'))

    obj.manage_permission(read_permission, ['Manager'], 1)

    transaction.commit()
    self.tic()

    preference_tool = self.portal.portal_preferences
    self.assertTrue(guarded_hasattr(preference_tool, 'getPreferredToto'))
    self.assertEquals("A TEST", preference_tool.getPreferredToto())

    preference_tool.manage_permission(write_permission, [], 0)
    self.assertTrue(guarded_hasattr(preference_tool, 'getPreferredToto'))

    preference_tool.manage_permission(write_permission, ['Manager'], 1)
    preference_tool.manage_permission(read_permission, [], 0)
    obj.manage_permission(read_permission, [], 0)
    self.assertFalse(guarded_hasattr(preference_tool, 'getPreferredToto'))

    preference_tool.manage_permission(read_permission, ['Manager'], 1)
Example #9
0
 def test_hit(self):
     from AccessControl.ZopeGuards import guarded_hasattr
     obj = Method(2411)
     name = 'args'
     value = getattr(obj, name)
     rc = sys.getrefcount(value)
     self.assertTrue(guarded_hasattr(obj, name))
     self.assertEqual(len(self.__sm.calls), 1)
     del self.__sm.calls[:]
     self.assertEqual(rc, sys.getrefcount(value))
Example #10
0
 def test_unauthorized(self):
     from AccessControl.ZopeGuards import guarded_hasattr
     obj, name = Method(), 'args'
     value = getattr(obj, name)
     rc = sys.getrefcount(value)
     self.__sm.reject = True
     self.assertFalse(guarded_hasattr(obj, name))
     self.assertEqual(len(self.__sm.calls), 1)
     del self.__sm.calls[:]
     self.assertEqual(rc, sys.getrefcount(value))
Example #11
0
    def filter(self, viewlets):
        """Sort out all content providers

        ``viewlets`` is a list of tuples of the form (name, viewlet).
        """
        # Only return viewlets accessible to the principal
        # We need to wrap each viewlet in its context to make sure that
        # the object has a real context from which to determine owner
        # security.
        return [(name, viewlet) for name, viewlet in viewlets if
                guarded_hasattr(viewlet.__of__(viewlet.context), 'render')]
Example #12
0
    def filter(self, viewlets):
        """Sort out all content providers

        ``viewlets`` is a list of tuples of the form (name, viewlet).
        """
        results = []
        # Only return viewlets accessible to the principal
        # We need to wrap each viewlet in its context to make sure that
        # the object has a real context from which to determine owner
        # security.
        for name, viewlet in viewlets:
            if guarded_hasattr(viewlet, 'render'):
                results.append((name, viewlet))
        return results
Example #13
0
    def filter(self, viewlets):
        """Sort out all content providers

        ``viewlets`` is a list of tuples of the form (name, viewlet).
        """
        results = []
        # Only return viewlets accessible to the principal
        # We need to wrap each viewlet in its context to make sure that
        # the object has a real context from which to determine owner
        # security.
        for name, viewlet in viewlets:
            if guarded_hasattr(viewlet, 'render'):
                results.append((name, viewlet))
        return results
def is_available(viewlet):
    """Check if viewlet is available
    """
    if not guarded_hasattr(viewlet, 'render'):
        return False

    if hasattr(viewlet, 'available'):
        if callable(viewlet.available):
            available = viewlet.available()
        else:
            available = viewlet.available

        return available
    else:
        return True
 def processForm(self, form):
     """ Process an XForms submission.
     
     """
     submit = form.get('__submit__')
     if not submit:
         # return an empty string as the 'message', since we haven't actually
         # processed anything    
         return (form, '', False)
     
     model, submission = submit.split('+')
     if not (model and submission):
         return (form, 'No model and/or submission specified', True)
     
     messages = []
     # validate the form
     content_container = getattr(self.aq_explicit, self.content_container)
     for key in form.keys():
         for obj in (content_container.get_filteredDataDefinition() +
                     content_container.security_management):
             if (getattr(obj, 'indexName', '') == key or
                 getattr(obj, 'id', '') == key):
                 val, message = obj.validate(self, form.get(key))
                 if message:
                     messages.append(message)
                 else:
                     form[key] = val        
     if messages:
         message = ''
         for msg in messages:
             message += '<p>%s</p>' % msg
         
         return (form, message, True)
         
     # look for a callback method for processing this form
     if guarded_hasattr(self.aq_explicit, 'cb_'+str(model)):
         process_cb = guarded_getattr(self.aq_explicit, 'cb_'+str(model))
     
         # the form has been processed, we don't need to do anything else
         form['__populate__'] = False
         
         return process_cb(form)
         
     return (form, 'No matching model found', True)
    def processForm(self, form):
        """ Process an XForms submission.
        
        """
        submit = form.get('__submit__')
        if not submit:
            # return an empty string as the 'message', since we haven't actually
            # processed anything
            return (form, '', False)

        model, submission = submit.split('+')
        if not (model and submission):
            return (form, 'No model and/or submission specified', True)

        messages = []
        # validate the form
        content_container = getattr(self.aq_explicit, self.content_container)
        for key in form.keys():
            for obj in (content_container.get_filteredDataDefinition() +
                        content_container.security_management):
                if (getattr(obj, 'indexName', '') == key
                        or getattr(obj, 'id', '') == key):
                    val, message = obj.validate(self, form.get(key))
                    if message:
                        messages.append(message)
                    else:
                        form[key] = val
        if messages:
            message = ''
            for msg in messages:
                message += '<p>%s</p>' % msg

            return (form, message, True)

        # look for a callback method for processing this form
        if guarded_hasattr(self.aq_explicit, 'cb_' + str(model)):
            process_cb = guarded_getattr(self.aq_explicit, 'cb_' + str(model))

            # the form has been processed, we don't need to do anything else
            form['__populate__'] = False

            return process_cb(form)

        return (form, 'No matching model found', True)
Example #17
0
    def get_viewlet(self, manager_name, viewlet_name):
        # check visibility
        storage = queryUtility(IViewletSettingsStorage)
        if storage is None:
            return None

        skinname = self.context.getCurrentSkinName()

        hidden = frozenset(storage.getHidden(manager_name, skinname))
        if viewlet_name in hidden:
            return None

        # get viewlet instance
        manager = queryMultiAdapter(
            (self.context, self.request, self),
            IViewletManager,
            name=manager_name
        )
        viewlet = queryMultiAdapter(
            (self.context, self.request, self, manager),
            IViewlet,
            name=viewlet_name
        )
        if viewlet is None:
            logger.debug(
                'Viewlet tile {0} in manager {1}. '
                'Was not found.'.format(viewlet_name, manager_name)
            )
            return None

        # check permissions - same as in plone.app.viewletmanager
        if IAcquirer.providedBy(viewlet):
            viewlet = viewlet.__of__(viewlet.context)
        if not guarded_hasattr(viewlet, 'render'):
            logger.warn(
                'Blocked attempt to render tile {0} in manager {1}. '
                'Permission denied.'.format(viewlet_name, manager_name)
            )
            return None

        return viewlet
Example #18
0
    def __getitem__(self, name):
        """See zope.interface.common.mapping.IReadMapping"""
        # Find the viewlet
        viewlet = zope.component.queryMultiAdapter(
            (self.context, self.request, self.__parent__, self),
            interfaces.IViewlet, name=name)

        # If the viewlet was not found, then raise a lookup error
        if viewlet is None:
            raise zope.interface.interfaces.ComponentLookupError(
                'No provider with name `%s` found.' % name)

        # If the viewlet cannot be accessed, then raise an
        # unauthorized error
        if not guarded_hasattr(viewlet, 'render'):
            raise zope.security.interfaces.Unauthorized(
                'You are not authorized to access the provider '
                'called `%s`.' % name)

        # Return the viewlet.
        return viewlet
Example #19
0
    def render(self):
        """See zope.contentprovider.interfaces.IContentProvider"""

        # check whether we are in the manager view
        is_managing = False
        parent = getattr(self, '__parent__', None)
        while parent is not None:
            if IViewletManagementView.providedBy(parent):
                is_managing = True
                break
            parent = getattr(parent, '__parent__', None)

        if is_managing:
            # if we are in the managing view, then fetch all viewlets again
            viewlets = getAdapters(
                (self.context, self.request, self.__parent__, self), IViewlet)

            # sort them first
            viewlets = self.sort(viewlets)

            storage = getUtility(IViewletSettingsStorage)
            skinname = self.context.getCurrentSkinName()
            hidden = frozenset(storage.getHidden(self.__name__, skinname))

            # then render the ones which are accessible
            base_url = str(
                getMultiAdapter((self.context, self.request),
                                name='absolute_url'))
            query_tmpl = "%s/@@manage-viewlets?%%s" % base_url
            results = []
            for index, (name, viewlet) in enumerate(viewlets):
                if IAcquirer.providedBy(viewlet):
                    viewlet = viewlet.__of__(viewlet.context)
                viewlet_id = "%s:%s" % (self.__name__, name)
                options = {
                    'index': index,
                    'name': name,
                    'hidden': name in hidden,
                    'show_url': query_tmpl % urlencode({'show': viewlet_id}),
                    'hide_url': query_tmpl % urlencode({'hide': viewlet_id}),
                }

                if guarded_hasattr(viewlet, 'render'):
                    viewlet.update()
                    options['content'] = viewlet.render()
                else:
                    options['content'] = u""
                if index > 0:
                    prev_viewlet = viewlets[index - 1][0]
                    query = {
                        'move_above': "%s;%s" % (viewlet_id, prev_viewlet)
                    }
                    options['up_url'] = query_tmpl % urlencode(query)
                if index < (len(viewlets) - 1):
                    next_viewlet = viewlets[index + 1][0]
                    query = {
                        'move_below': "%s;%s" % (viewlet_id, next_viewlet)
                    }
                    options['down_url'] = query_tmpl % urlencode(query)
                results.append(options)

            self.name = self.__name__
            self.normalized_name = self.name.replace('.', '-')
            interface = list(providedBy(self).flattened())[0]
            self.interface = interface.__identifier__

            # and output them
            return self.manager_template(viewlets=results)
        # the rest is standard behaviour from zope.viewlet
        else:
            return BaseOrderedViewletManager.render(self)
    def render(self):
        """See zope.contentprovider.interfaces.IContentProvider"""

        # check whether we are in the manager view
        is_managing = False
        parent = getattr(self, '__parent__', None)
        while parent is not None:
            if IViewletManagementView.providedBy(parent):
                is_managing = True
                break
            parent = getattr(parent, '__parent__', None)

        if is_managing:
            # if we are in the managing view, then fetch all viewlets again
            viewlets = getAdapters(
                (self.context, self.request, self.__parent__, self),
                IViewlet)

            # sort them first
            viewlets = self.sort(viewlets)

            storage = getUtility(IViewletSettingsStorage)
            skinname = self.context.getCurrentSkinName()
            hidden = frozenset(storage.getHidden(self.__name__, skinname))

            # then render the ones which are accessible
            base_url = str(getMultiAdapter((self.context, self.request),
                           name='absolute_url'))
            query_tmpl = "%s/@@manage-viewlets?%%s" % base_url
            results = []
            for index, (name, viewlet) in enumerate(viewlets):
                if IAcquirer.providedBy(viewlet):
                    viewlet = viewlet.__of__(viewlet.context)
                viewlet_id = "%s:%s" % (self.__name__, name)
                options = {'index': index,
                           'name': name,
                           'hidden': name in hidden,
                           'show_url': query_tmpl % urlencode({'show': viewlet_id}),
                           'hide_url': query_tmpl % urlencode({'hide': viewlet_id})}

                if guarded_hasattr(viewlet, 'render'):
                    viewlet.update()
                    options['content'] = viewlet.render()
                else:
                    options['content'] = u""
                if index > 0:
                    prev_viewlet = viewlets[index-1][0]
                    query = {'move_above': "%s;%s" % (viewlet_id, prev_viewlet)}
                    options['up_url'] = query_tmpl % urlencode(query)
                if index < (len(viewlets) - 1):
                    next_viewlet = viewlets[index+1][0]
                    query = {'move_below': "%s;%s" % (viewlet_id, next_viewlet)}
                    options['down_url'] = query_tmpl % urlencode(query)
                results.append(options)

            self.name = self.__name__
            self.normalized_name = self.name.replace('.', '-')
            self.interface = list(providedBy(self).flattened())[0].__identifier__

            # and output them
            return self.manager_template(viewlets=results)
        # the rest is standard behaviour from zope.viewlet
        else:
            return BaseOrderedViewletManager.render(self)
Example #21
0
 def test_miss(self):
     from AccessControl.ZopeGuards import guarded_hasattr
     obj, name = object(), 'nonesuch'
     self.assertFalse(guarded_hasattr(obj, name))
     self.assertEqual(len(self.__sm.calls), 0)
     del self.__sm.calls[:]
Example #22
0
 def test_unhashable_key(self):
     from AccessControl.ZopeGuards import guarded_hasattr
     obj, name = object(), {}
     self.assertFalse(guarded_hasattr(obj, name))
     self.assertEqual(len(self.__sm.calls), 0)