def makeObjects(self): checker = NamesChecker(["__getitem__"]) defineChecker(SiteManagerStub, checker) self.futurama = futurama = SampleSite() directlyProvides(futurama, IContainmentRoot) planetexpress = SampleContainer() robotfactory = SampleContainer() nimbus = SampleContainer() omicronpersei = SampleSite() bender = SampleContent() fry = SampleContent() leela = SampleContent() mom = SampleContent() zapp = SampleContent() kif = SampleContent() setitem(futurama, futurama.__setitem__, "planetexpress", planetexpress) setitem(futurama, futurama.__setitem__, "robotfactory", robotfactory) setitem(futurama, futurama.__setitem__, "nimbus", nimbus) setitem(futurama, futurama.__setitem__, "omicronpersei", omicronpersei) setitem(planetexpress, planetexpress.__setitem__, "bender", bender) setitem(planetexpress, planetexpress.__setitem__, "fry", fry) setitem(planetexpress, planetexpress.__setitem__, "leela", leela) setitem(robotfactory, robotfactory.__setitem__, "mom", mom) setitem(nimbus, nimbus.__setitem__, "zapp", zapp) setitem(nimbus, nimbus.__setitem__, "kif", kif)
def setUp(self): super(AuthZopePublicationTests, self).setUp() principalRegistry.defineDefaultPrincipal('anonymous', '') root = self.db.open().root() app = root[ZopePublication.root_name] app['f1'] = rootFolder() f1 = app['f1'] f1['f2'] = Folder() if not ISite.providedBy(f1): f1.setSiteManager(LocalSiteManager(f1)) sm1 = f1.getSiteManager() addUtility(sm1, '', IAuthentication, AuthUtility1()) f2 = f1['f2'] if not ISite.providedBy(f2): f2.setSiteManager(LocalSiteManager(f2)) sm2 = f2.getSiteManager() addUtility(sm2, '', IAuthentication, AuthUtility2()) transaction.commit() from zope.container.interfaces import ISimpleReadContainer from zope.container.traversal import ContainerTraverser component.provideAdapter(ContainerTraverser, (ISimpleReadContainer, IRequest), IPublishTraverse, name='') from zope.site.interfaces import IFolder from zope.security.checker import defineChecker, InterfaceChecker defineChecker(Folder, InterfaceChecker(IFolder))
def protectLikeUnto(class_, like_unto): """Use the protections from like_unto for class_""" unto_checker = getCheckerForInstancesOf(like_unto) if unto_checker is None: return # We know a dictionary was used because we set it # Note however, that if a checker was created manually # and the caller used say NamesChecker or MultiChecker, # then set_permissions may be None here as Checker # defaults a missing set_permissions parameter to None. # Jim says this doensn't happens with the C version of the # checkers because they use a 'shared dummy dict'. unto_get_protections = unto_checker.get_permissions unto_set_protections = unto_checker.set_permissions checker = getCheckerForInstancesOf(class_) if checker is None: checker = Checker({}, {}) defineChecker(class_, checker) get_protections = checker.get_permissions for name in unto_get_protections: get_protections[name] = unto_get_protections[name] set_protections = checker.set_permissions for name in unto_set_protections: set_protections[name] = unto_set_protections[name]
def ttwElementDirective( _context, name, title, for_ = interface.Interface, description=u'', layer = IDefaultBrowserLayer, template=u''): # register pageelement pageelementDirective( _context, name, for_=for_, title=title, description=description, layer=layer, template=template) # Make sure that the template exists template = os.path.abspath(str(_context.path(template))) if not os.path.isfile(template): raise ConfigurationError("No such file", template) # Build a new class that we can use different permission settings if we # use the class more then once. cdict = {} cdict['name'] = name cdict['title'] = title cdict['description'] = description cdict['template'] = template newclass = type( str('<TTWResourceFactory %s>'%name), (TTWPageElementFactory,), cdict) # Set up permission mapping for various accessible attributes required = {} for iname in ITTWPageElementFactory: required[iname] = CheckerPublic # security checker defineChecker(newclass, Checker(required)) # register the page element adapter(_context, (newclass,), ITTWItemFactory, (for_, layer), name=name)
def ttwResourceDirective( _context, name, title, for_ = interface.Interface, layer = IDefaultBrowserLayer, type = '', file = None, description=u'', **kwargs): rname = u'simplettw.%s'%name # register resource resourceDirective( _context, rname, file, layer, permission='zope.Public', type='') # Build a new class that we can use different permission settings if we # use the class more then once. cdict = {} cdict['name'] = name cdict['title'] = title cdict['description'] = description cdict['file'] = os.path.abspath(str(_context.path(file))) cdict['contentType'] = type newclass = Type( str('<TTWResourceFactory %s>'%name), (TTWResourceFactory,), cdict) # Set up permission mapping for various accessible attributes required = dict([(iname, CheckerPublic) for iname in ITTWResourceFactory]) defineChecker(newclass, Checker(required)) # register the resource element adapter(_context, (newclass,), ITTWItemFactory, (ISimpleTTW, layer), name=name) # register IStaticResource adapter adapter(_context, (StaticResource(rname),), IStaticResource, (layer,), name=name)
def _testBaseTags(self, url, expected): # Make sure I1 and O1 are visible in the module namespace # so that the classes can be pickled. import transaction pub = BrowserPublication(self.db) ztapi.browserView(I1, 'view', DummyView) ztapi.setDefaultViewName(I1, 'view') ztapi.browserViewProviding(None, TestTraverser, IBrowserPublisher) ob = O1() ## the following is for running the tests standalone principalRegistry.defineDefaultPrincipal('tim', 'timbot', 'ai at its best') # now place our object inside the application connection = self.db.open() app = connection.root()['Application'] app.somepath = ob transaction.commit() connection.close() defineChecker(app.__class__, NamesChecker(somepath='xxx')) req = self._createRequest(url, pub) response = req.response publish(req, handle_errors=0) self.assertEqual(response.getBase(), expected)
def EditViewFactory(name, schema, label, permission, layer, template, default_template, bases, for_, fields, fulledit_path=None, fulledit_label=None): class_ = SimpleViewClass(template, used_for=schema, bases=bases, name=name) class_.schema = schema class_.label = label class_.fieldNames = fields class_.fulledit_path = fulledit_path if fulledit_path and (fulledit_label is None): fulledit_label = "Full edit" class_.fulledit_label = fulledit_label class_.generated_form = ViewPageTemplateFile(default_template) defineChecker(class_, NamesChecker(("__call__", "__getitem__", "browserDefault", "publishTraverse"), permission)) if layer is None: layer = IDefaultBrowserLayer s = zapi.getGlobalSiteManager() s.provideAdapter((for_, layer), Interface, name, class_)
def register(self, context, name, factory, module_info, templates): # Try to set up permissions (copied from the View grokker) permissions = grok.util.class_annotation(factory, 'grok.require', []) if not permissions: checker = NamesChecker(['render']) elif len(permissions) > 1: raise GrokError( 'grok.require was called multiple times in viewlet ' '%r. It may only be called once.' % factory, factory) elif permissions[0] == 'zope.Public': checker = NamesChecker(['render']) else: perm = permissions[0] if component.queryUtility(IPermission, name=perm) is None: raise GrokError( 'Undefined permission %r in view %r. Use ' 'grok.define_permission first.' % (perm, factory), factory) checker = NamesChecker(['render'], permissions[0]) defineChecker(factory, checker) manager = factory.viewlet_manager component.provideAdapter( factory, adapts=( None, # TODO: Make configurable IDefaultBrowserLayer, # TODO: Make configurable IBrowserView, manager), provides=IViewlet, name=name)
def test_ProxyFactory(self): class SomeClass(object): pass import zope.security checker = NamesChecker() specific_checker = NamesChecker() checker_as_magic_attr = NamesChecker() obj = SomeClass() proxy = ProxyFactory(obj) self.assert_(type(proxy) is Proxy) from zope.security.checker import _defaultChecker self.assert_(getChecker(proxy) is _defaultChecker) defineChecker(SomeClass, checker) proxy = ProxyFactory(obj) self.assert_(type(proxy) is Proxy) self.assert_(getChecker(proxy) is checker) obj.__Security_checker__ = checker_as_magic_attr proxy = ProxyFactory(obj) self.assert_(type(proxy) is Proxy) self.assert_(getChecker(proxy) is checker_as_magic_attr) proxy = ProxyFactory(obj, specific_checker) self.assert_(type(proxy) is Proxy) self.assert_(getChecker(proxy) is specific_checker)
def test_both_wrapper_and_object_have_checkers_not_security_proxied(self): from zope.proxy import ProxyBase from zope.security.checker import CombinedChecker from zope.security.checker import NamesChecker from zope.security.checker import defineChecker from zope.security.interfaces import ForbiddenAttribute class Foo(object): a = 'a' fooChecker = NamesChecker(['a']) # a is public defineChecker(Foo, fooChecker) foo = Foo() fooChecker.check(foo, 'a') # no raise self.assertRaises(ForbiddenAttribute, fooChecker.check, foo, 'b') class Wrapper(ProxyBase): b = 'b' __Security_checker__ = self._makeOne() wrapperChecker = NamesChecker(['b']) # b is public defineChecker(Wrapper, wrapperChecker) wrapper = Wrapper(foo) self.assertRaises(ForbiddenAttribute, wrapperChecker.check, foo, 'a') wrapperChecker.check(foo, 'b') # no raise checker = wrapper.__Security_checker__ self.assertTrue(isinstance(checker, CombinedChecker)) checker.check(wrapper, 'a') # no raise checker.check(wrapper, 'b') # no raise
def DisplayViewFactory(name, schema, label, permission, layer, template, default_template, bases, for_, fields, fulledit_path=None, fulledit_label=None): class_ = SimpleViewClass(template, used_for=schema, bases=bases, name=name) class_.schema = schema class_.label = label class_.fieldNames = fields class_.fulledit_path = fulledit_path if fulledit_path and (fulledit_label is None): fulledit_label = "Full display" class_.fulledit_label = fulledit_label class_.generated_form = ViewPageTemplateFile(default_template) defineChecker( class_, NamesChecker(("__call__", "__getitem__", "browserDefault"), permission)) if layer is None: layer = IDefaultBrowserLayer sm = zope.component.getGlobalSiteManager() sm.registerAdapter(class_, (for_, layer), Interface, name)
def test_both_wrapper_and_object_have_checkers_security_proxied(self): from zope.proxy import ProxyBase from zope.security.checker import CombinedChecker from zope.security.checker import NamesChecker from zope.security.checker import defineChecker from zope.security.proxy import ProxyFactory class Foo(object): a = 'a' fooChecker = NamesChecker(['a']) # a is public defineChecker(Foo, fooChecker) foo = Foo() f_sec = ProxyFactory(foo) class Wrapper(ProxyBase): b = 'b' __Security_checker__ = self._makeOne() wrapperChecker = NamesChecker(['b']) # b is public defineChecker(Wrapper, wrapperChecker) w_sec = Wrapper(f_sec) checker = w_sec.__Security_checker__ self.assertTrue(isinstance(checker, CombinedChecker)) checker.check(w_sec, 'a') # no raise checker.check(w_sec, 'b') # no raise
def test_template_context_wrapping(self): class AU(BrowserView): def __str__(self): name = self.context.__name__ if name is None: return 'None' return name defineChecker(AU, NamesChecker(['__str__'])) from zope.traversing.namespace import view from zope.traversing.interfaces import ITraversable provideAdapter(view, (None,), ITraversable, name="view") provideAdapter(view, (None, None), ITraversable, name="view") provideAdapter( AU, (IZopachePageTemplate, TestRequest), Interface, name='name') page = ZopachePageTemplate() page.setSource( u'<p tal:replace="template/@@name" />' ) page = contained(page, None, name='zpt') request = TestRequest() self.assertEquals(page.render(request), u'zpt')
def _testBaseTags(self, url, expected): # Make sure I1 and O1 are visible in the module namespace # so that the classes can be pickled. import transaction pub = BrowserPublication(self.db) ztapi.browserView(I1, 'view', DummyView) ztapi.setDefaultViewName(I1, 'view') ztapi.browserViewProviding(None, TestTraverser, IBrowserPublisher) ob = O1() ## the following is for running the tests standalone principalRegistry.defineDefaultPrincipal( 'tim', 'timbot', 'ai at its best') # now place our object inside the application connection = self.db.open() app = connection.root()['Application'] app.somepath = ob transaction.commit() connection.close() defineChecker(app.__class__, NamesChecker(somepath='xxx')) req = self._createRequest(url, pub) response = req.response publish(req, handle_errors=0) self.assertEqual(response.getBase(), expected)
def execute(self, factory, config, permissions, **kw): if not permissions: return False if get_config().getboolean('auth', 'enforce_attribute_rights_definition'): perms = {} else: perms = AuditingPermissionDictionary() # mandatory, otherwise zope's default Checker impl will be used # which doesn't play well with Twisted. defineChecker(factory, Checker(perms, perms)) # TODO: supply the 'inherit' option to the class somehow # to facilitate optional inheritance of all permissions for class_inheritance_level in permissions: for name, permission in class_inheritance_level.items(): if isinstance(permission, tuple): read_perm, write_perm = permission config.action(discriminator=('protectNameSet', factory, name), callable=grokcore.security.util.protect_setattr, args=(factory, name, write_perm)) else: read_perm = permission config.action(discriminator=('protectName', factory, name), callable=grokcore.security.util.protect_getattr, args=(factory, name, read_perm)) return True
def makeObjects(self): checker = NamesChecker(['__getitem__']) defineChecker(SiteManagerStub, checker) self.futurama = futurama = SampleSite() directlyProvides(futurama, IContainmentRoot) planetexpress = SampleContainer() robotfactory = SampleContainer() nimbus = SampleContainer() omicronpersei = SampleSite() bender = SampleContent() fry = SampleContent() leela = SampleContent() mom = SampleContent() zapp = SampleContent() kif = SampleContent() setitem(futurama, futurama.__setitem__, 'planetexpress', planetexpress) setitem(futurama, futurama.__setitem__, 'robotfactory', robotfactory) setitem(futurama, futurama.__setitem__, 'nimbus', nimbus) setitem(futurama, futurama.__setitem__, 'omicronpersei', omicronpersei) setitem(planetexpress, planetexpress.__setitem__, 'bender', bender) setitem(planetexpress, planetexpress.__setitem__, 'fry', fry) setitem(planetexpress, planetexpress.__setitem__, 'leela', leela) setitem(robotfactory, robotfactory.__setitem__, 'mom', mom) setitem(nimbus, nimbus.__setitem__, 'zapp', zapp) setitem(nimbus, nimbus.__setitem__, 'kif', kif)
def portletManagerDirective( _context, name, title, for_=None, description=u'', class_=None, schema=None, layer=IDefaultBrowserLayer, provides=(), portlettype=IPortlet, **kw): # Build a new class ManagerClass = PortletManager( name, class_, provides, title, description, schema, portlettype, **kw) # Set up permission mapping for various accessible attributes required = {'__call__': CheckerPublic, 'browserDefault': CheckerPublic, 'publishTraverse': CheckerPublic} for iname in IPortletManager: required[iname] = CheckerPublic # security checker defineChecker(ManagerClass, Checker(required)) # security for schema fields for iface in (IPortletManagerConfiguration, schema): if iface is None: continue for f_id in iface: field = iface[f_id] if IField.providedBy(field) and not field.readonly: protectSetAttribute(ManagerClass, f_id, 'zojax.ManagePortlets') protectName(ManagerClass, f_id, 'zope.Public') # register the portlet manager adapter(_context, (ManagerClass,), IPortletManager, (for_, layer, None), name=name)
def execute(self, factory, config, permissions, **kw): if not permissions: return False if get_config().getboolean('auth', 'enforce_attribute_rights_definition'): perms = {} else: perms = AuditingPermissionDictionary() # mandatory, otherwise zope's default Checker impl will be used # which doesn't play well with Twisted. defineChecker(factory, Checker(perms, perms)) # TODO: supply the 'inherit' option to the class somehow # to facilitate optional inheritance of all permissions for class_inheritance_level in permissions: for name, permission in class_inheritance_level.items(): if isinstance(permission, tuple): read_perm, write_perm = permission config.action( discriminator=('protectNameSet', factory, name), callable=grokcore.security.util.protect_setattr, args=(factory, name, write_perm)) else: read_perm = permission config.action(discriminator=('protectName', factory, name), callable=grokcore.security.util.protect_getattr, args=(factory, name, read_perm)) return True
def AddViewFactory(name, schema, label, permission, layer, template, default_template, bases, for_, fields, content_factory, arguments, keyword_arguments, set_before_add, set_after_add): class_ = SimpleViewClass( template, used_for=schema, bases=bases, name=name) class_.schema = schema class_.label = label class_.fieldNames = fields class_._factory_or_id = content_factory class_._factory = property(_getFactory, _setFactory) class_._arguments = arguments class_._keyword_arguments = keyword_arguments class_._set_before_add = set_before_add class_._set_after_add = set_after_add class_.generated_form = ViewPageTemplateFile(default_template) defineChecker(class_, NamesChecker( ("__call__", "__getitem__", "browserDefault", "publishTraverse"), permission, ) ) if layer is None: layer = IDefaultBrowserLayer s = zope.component.getGlobalSiteManager() s.registerAdapter(class_, (for_, layer), Interface, name)
def setUp(self): super(ZPTPageTests, self).setUp() ztapi.provideAdapter(None, ITraverser, Traverser) ztapi.provideAdapter(None, ITraversable, DefaultTraversable) ztapi.provideAdapter(None, IPhysicallyLocatable, LocationPhysicallyLocatable) ztapi.provideAdapter(IContainmentRoot, IPhysicallyLocatable, RootPhysicallyLocatable) defineChecker(Data, NamesChecker(['URL', 'name']))
def handle_security(class_, permission, interfaces, attributes): required = set(attributes) for ifc in interfaces: required.update(set(ifc)) if permission == 'zope.Public': permission = CheckerPublic defineChecker(class_, Checker(dict.fromkeys(required, permission)))
def setUp(self): super(ZopachePageTemplateTests, self).setUp() provideAdapter(Traverser, (None,), ITraverser) provideAdapter(DefaultTraversable, (None,), ITraversable) provideAdapter( LocationPhysicallyLocatable, (None,), IPhysicallyLocatable) provideAdapter( RootPhysicallyLocatable, (IContainmentRoot,), IPhysicallyLocatable) defineChecker(Data, NamesChecker(['URL', 'name']))
def setUp(self): super(ZPTPageTests, self).setUp() ztapi.provideAdapter(None, ITraverser, Traverser) ztapi.provideAdapter(None, ITraversable, DefaultTraversable) ztapi.provideAdapter( None, IPhysicallyLocatable, LocationPhysicallyLocatable) ztapi.provideAdapter( IContainmentRoot, IPhysicallyLocatable, RootPhysicallyLocatable) defineChecker(Data, NamesChecker(['URL', 'name']))
def testAllAllowed(self): defineChecker(C, Checker({'folder': CheckerPublic, 'item': CheckerPublic, })) tr = Traverser(ProxyFactory(self.root)) item = self.item self.assertEquals(tr.traverse(('', 'folder', 'item')), item) self.assertEquals(tr.traverse(('folder', 'item')), item)
def make_checker(factory, view_factory, permission, method_names=None): if method_names is None: method_names = ['__call__'] if permission is not None: check_permission(factory, permission) if permission is None or permission == 'zope.Public': checker = NamesChecker(method_names) else: checker = NamesChecker(method_names, permission) defineChecker(view_factory, checker)
def test_resources(self): browserResource('quux', Resource) # Only register the checker once, so that multiple test runs pass. if Resource not in _checkers: defineChecker(Resource, NamesChecker(['__call__'])) self.addPage('/foo/bar/pt', u'<span tal:replace="context/++resource++quux" />') self.verify('/foo/bar/pt', 'http://localhost/@@/quux') self.verify('/foo/++vh++https:localhost:443/fake/folders/++/bar/pt', 'https://localhost/fake/folders/@@/quux')
def test_resources(self): browserResource('quux', Resource) # Only register the checker once, so that multiple test runs pass. if Resource not in _checkers: defineChecker(Resource, NamesChecker(['__call__'])) self.addPage(u'/foo/bar/pt', u'context/++resource++quux') self.verify(u'/foo/bar/pt', u'http://localhost/@@/quux') self.verify(u'/foo/++vh++https:localhost:443/fake/folders/++/bar/pt', u'https://localhost/fake/folders/@@/quux')
def whitelist_module(module, classes=[], definitions=[]): # For python scripts and zope allow_module(module) for klass in classes: allow_class(klass) if definitions: ModuleSecurityInfo(module).declarePublic(*definitions) # for zope.untrustedpython defineChecker(imodule, NamesChecker([meth for meth in dir(imodule) if meth[0] != "_"]))
def testAllAllowed(self): defineChecker( C, Checker({ 'folder': CheckerPublic, 'item': CheckerPublic, })) tr = Traverser(ProxyFactory(self.root)) item = self.item self.assertEqual(tr.traverse(('', 'folder', 'item')), item) self.assertEqual(tr.traverse(('folder', 'item')), item)
def execute(self, factory, config, permission, **kw): # mandatory, otherwise zope's default Checker impl will be used # which doesn't play well in async frameworks like twisted. defineChecker(factory, Checker({}, {})) for method_name in [i for i in dir(factory) if i.startswith('render')]: config.action(discriminator=('protectName', factory, method_name), callable=protect_getattr, args=(factory, method_name, permission)) return True
def testItemDenied(self): endInteraction() newInteraction(ParticipationStub('no one')) defineChecker(C, Checker({'item': 'Waaaa', 'folder': CheckerPublic})) tr = Traverser(ProxyFactory(self.root)) folder = self.folder self.assertRaises(Unauthorized, tr.traverse, ('', 'folder', 'item')) self.assertRaises(Unauthorized, tr.traverse, ('folder', 'item')) self.assertEqual(tr.traverse(('', 'folder')), folder) self.assertEqual(tr.traverse(('folder', '..', 'folder')), folder) self.assertEqual(tr.traverse(('folder', )), folder)
def test_define_and_undefineChecker(self): class SomeClass(object): pass obj = SomeClass() checker = NamesChecker() from zope.security.checker import _defaultChecker, selectChecker self.assert_(selectChecker(obj) is _defaultChecker) defineChecker(SomeClass, checker) self.assert_(selectChecker(obj) is checker) undefineChecker(SomeClass) self.assert_(selectChecker(obj) is _defaultChecker)
def make_checker(factory, view_factory, permission): """Make a checker for a view_factory associated with factory. These could be one and the same for normal views, or different in case we make method-based views such as for JSON and XMLRPC. """ if permission is not None: check_permission(factory, permission) if permission is None or permission == 'zope.Public': checker = NamesChecker(['__call__']) else: checker = NamesChecker(['__call__'], permission) defineChecker(view_factory, checker)
def test_w_existing_like_unto_checker_wo_existing_checker(self): from zope.security.checker import Checker from zope.security.checker import CheckerPublic from zope.security.checker import defineChecker from zope.security.checker import _checkers permission = object() foo_checker = Checker({'bar': CheckerPublic}, {'bar': permission}) defineChecker(Foo, foo_checker) self._callFUT(Bar, Foo) bar_checker = _checkers[Bar] self.assertEqual(bar_checker.get_permissions, foo_checker.get_permissions) self.assertEqual(bar_checker.set_permissions, foo_checker.set_permissions)
def protectName(class_, name, permission): """Set a permission on a particular name.""" checker = getCheckerForInstancesOf(class_) if checker is None: checker = Checker({}, {}) defineChecker(class_, checker) if permission == 'zope.Public': # Translate public permission to CheckerPublic permission = CheckerPublic # We know a dictionary was used because we set it protections = checker.get_permissions protections[name] = permission
def testItemDenied(self): endInteraction() newInteraction(ParticipationStub('no one')) defineChecker(C, Checker({'item': 'Waaaa', 'folder': CheckerPublic})) tr = Traverser(ProxyFactory(self.root)) folder = self.folder self.assertRaises(Unauthorized, tr.traverse, ('', 'folder', 'item')) self.assertRaises(Unauthorized, tr.traverse, ('folder', 'item')) self.assertEquals(tr.traverse(('', 'folder')), folder) self.assertEquals(tr.traverse(('folder', '..', 'folder')), folder) self.assertEquals(tr.traverse(('folder',)), folder)
def setUp(self): super(ZopeViewReplacementFixture, self).setUp() if self.replacement is None: raise ValueError('replacement is not set') self.gsm.adapters.register( (self.context_interface, self.request_interface), Interface, self.name, self.replacement) # The same checker should be sufficient. If it ever isn't, we # can add more flexibility then. defineChecker(self.replacement, self.checker) self.addCleanup(undefineChecker, self.replacement) self.addCleanup(self.gsm.adapters.register, (self.context_interface, self.request_interface), Interface, self.name, self.original)
def make_checker(factory, view_factory, permission, method_names=None): """Make a checker for a view_factory associated with factory. These could be one and the same for normal views, or different in case we make method-based views such as for JSON and XMLRPC. """ if method_names is None: method_names = ['__call__'] if permission is not None: check_permission(factory, permission) if permission is None or permission == 'zope.Public': checker = NamesChecker(method_names) else: checker = NamesChecker(method_names, permission) defineChecker(view_factory, checker)
def test_locationproxy_security(self): from zope.security.checker import defineChecker from zope.security.checker import NamesChecker from zope.security.proxy import ProxyFactory class Unlocated(object): a = 'a' unlocated = Unlocated() located = LocationProxy(unlocated) # define a checker for the unlocated object, which will also be # used by the security proxy as the LocationProxy defines # __Security_checker__: unlocatedChecker = NamesChecker(['a']) defineChecker(Unlocated, unlocatedChecker) secure_located = ProxyFactory(located) self.assertEqual(secure_located.a, 'a')
def test_neither_wrapper_nor_object_has_checker(self): from zope.proxy import ProxyBase from zope.security.checker import NoProxy from zope.security.checker import defineChecker class Foo(object): a = 'a' defineChecker(Foo, NoProxy) foo = Foo() class Wrapper(ProxyBase): b = 'b' __Security_checker__ = self._makeOne() defineChecker(Wrapper, NoProxy) wrapper = Wrapper(foo) self.assertRaises(AttributeError, getattr, wrapper, '__Security_checker__')
def testPlacefulAuth(self): setup.setUpTraversal() setup.setUpSiteManagerLookup() principalRegistry.defineDefaultPrincipal('anonymous', '') root = self.db.open().root() app = root[ZopePublication.root_name] app['f1'] = rootFolder() f1 = app['f1'] f1['f2'] = Folder() sm1 = setup.createSiteManager(f1) setup.addUtility(sm1, '', IAuthenticationUtility, AuthUtility1()) f2 = f1['f2'] sm2 = setup.createSiteManager(f2) setup.addUtility(sm2, '', IAuthenticationUtility, AuthUtility2()) transaction.commit() from zope.app.container.interfaces import ISimpleReadContainer from zope.app.container.traversal import ContainerTraverser ztapi.provideView(ISimpleReadContainer, IRequest, IPublishTraverse, '', ContainerTraverser) from zope.app.folder.interfaces import IFolder from zope.security.checker import defineChecker, InterfaceChecker defineChecker(Folder, InterfaceChecker(IFolder)) self.publication.beforeTraversal(self.request) self.assertEqual(list(queryInteraction().participations), [self.request]) self.assertEqual(self.request.principal.id, 'anonymous') root = self.publication.getApplication(self.request) self.publication.callTraversalHooks(self.request, root) self.assertEqual(self.request.principal.id, 'anonymous') ob = self.publication.traverseName(self.request, root, 'f1') self.publication.callTraversalHooks(self.request, ob) self.assertEqual(self.request.principal.id, 'test.anonymous') ob = self.publication.traverseName(self.request, ob, 'f2') self.publication.afterTraversal(self.request, ob) self.assertEqual(self.request.principal.id, 'test.bob') self.assertEqual(list(queryInteraction().participations), [self.request]) self.publication.endRequest(self.request, ob) self.assertEqual(queryInteraction(), None)
def protectModule(module, name, permission): """Set up a module checker to require a permission to access a name If there isn't a checker for the module, create one. """ checker = moduleChecker(module) if checker is None: checker = Checker({}, {}) defineChecker(module, checker) if permission == 'zope.Public': # Translate public permission to CheckerPublic permission = CheckerPublic # We know a dictionary get method was used because we set it protections = checker.get_permissions protections[name] = permission
def register_help_folder(context, folder, name): """Create a help folder subclass and register it with the ZCA.""" help_folder = type(str('%s for %s' % (name, folder)), (HelpFolder, ), { 'folder': folder, '__name__': name }) defineChecker( help_folder, NamesChecker(list(IBrowserPublisher.names(True)) + ['__call__'])) context.action( discriminator=('view', (ILaunchpadApplication, IBrowserRequest), name), callable=handler, args=('registerAdapter', help_folder, (ILaunchpadApplication, IBrowserRequest), Interface, name, context.info), )
def test_template_context_wrapping(self): class AU(BrowserView): def __str__(self): name = self.context.__name__ if name is None: return 'None' return name defineChecker(AU, NamesChecker(['__str__'])) from zope.traversing.namespace import view ztapi.provideNamespaceHandler('view', view) ztapi.browserView(IZPTPage, 'name', AU) page = ZPTPage() page.setSource(u'<p tal:replace="template/@@name" />') page = contained(page, None, name='zpt') request = TestRequest() self.assertEquals(page.render(request), u'zpt')
def protectSetAttribute(class_, name, permission): """Set a permission on a particular name.""" checker = getCheckerForInstancesOf(class_) if checker is None: checker = Checker({}, {}) defineChecker(class_, checker) if permission == zope_Public: # Translate public permission to CheckerPublic permission = CheckerPublic # We know a dictionary was used because we set it # Note however, that if a checker was created manually # and the caller used say NamesChecker or MultiChecker, # then set_permissions may be None here as Checker # defaults a missing set_permissions parameter to None. # Jim says this doensn't happens with the C version of the # checkers because they use a 'shared dummy dict'. protections = checker.set_permissions protections[name] = permission