def protect_getattr(class_, name, permission=None): """Install a getattr permission check for the attribute ``name``. If ``permission`` is not supplied, access will be public. """ permission = check_or_default_permission(class_, permission) protectName(class_, name, permission)
def testLikeUntoOnly(self): protectName(TestModule.test_base, "m1", P1) protectName(TestModule.test_base, "m2", P1) protectSetAttribute(TestModule.test_base, "m1", P1) protectSetAttribute(TestModule.test_base, "m2", P1) protectLikeUnto(TestModule.test_class, TestModule.test_base) # m1 and m2 are in the interface, so should be set, and m3 should not: self.assertState(m1P=P1, m2P=P1) self.assertSetattrState(m1P=P1, m2P=P1)
def testLikeUntoOnly(self): protectName(TestModule.test_base, 'm1', P1) protectName(TestModule.test_base, 'm2', P1) protectSetAttribute(TestModule.test_base, 'm1', P1) protectSetAttribute(TestModule.test_base, 'm2', P1) protectLikeUnto(TestModule.test_class, TestModule.test_base) # m1 and m2 are in the interface, so should be set, and m3 should not: self.assertState(m1P=P1, m2P=P1) self.assertSetattrState(m1P=P1, m2P=P1)
def _protect(cls, protect=None, like_class=None): """Register security protections for cls, as per protect/like_class. Constraint: cls must be a type, class or module. Attempt to reset to a different permission on a name raises an error. The protect parameter is a dictionary that can can specify whatever a sequence of class/require zcml directives may specify (except for the non-compatible like_class, that if needed may be provided as a spearate parameter): protect:{ permission:str: { attributes:[str], set_attributes:[str], # tbd, zope.security.metaconfigure interface:Interface, set_schema:Interface # tbd } } like_class: either(type, class, module) """ assert protect is not None or like_class is not None, \ "[%s] params protect [%s] or like_class [%s] may not be both None." % ( cls, protect, like_class) assert protect is None or like_class is None, \ "[%s] One of params protect [%s] or like_class [%s] must be None." % ( cls, protect, like_class) if like_class is not None: protectclass.protectLikeUnto(cls, like_class) return for permission in protect: interface = protect[permission].get("interface") if interface: for attr, d in interface.namesAndDescriptions(1): protectclass.protectName(cls, attr, permission) attributes = protect[permission].get("attributes") if attributes: for attr in attributes: # retrieve cls checker on each attr (may not be defined on first) checker = protectclass.getCheckerForInstancesOf(cls) if checker is not None: previous_permission = checker.get_permissions.get(attr) if previous_permission is not None: assert previous_permission == permission, \ "Cannot change protection of class [%s] " \ "attribute [%s] from [%s] to [%s]" % ( cls, attr, previous_permission, permission) continue protectclass.protectName(cls, attr, permission)
def testLikeUntoAsDefault(self): protectName(TestModule.test_base, 'm1', P1) protectName(TestModule.test_base, 'm2', P1) protectSetAttribute(TestModule.test_base, 'm1', P1) protectSetAttribute(TestModule.test_base, 'm2', P1) protectLikeUnto(TestModule.test_class, TestModule.test_base) protectName(TestModule.test_class, 'm2', P2) protectName(TestModule.test_class, 'm3', P2) protectSetAttribute(TestModule.test_class, 'm2', P2) protectSetAttribute(TestModule.test_class, 'm3', P2) # m1 and m2 are in the interface, so should be set, and m3 should not: self.assertState(m1P=P1, m2P=P2, m3P=P2) self.assertSetattrState(m1P=P1, m2P=P2, m3P=P2)
def testInherited(self): class B1(object): def g(self): return 'B1.g' class B2(object): def h(self): return 'B2.h' class S(B1, B2): pass component.provideUtility(Permission('B1', ''), IPermission, 'B1') component.provideUtility(Permission('S', ''), IPermission, 'S') protectName(B1, 'g', 'B1') protectName(S, 'g', 'S') protectName(S, 'h', 'S') self.assertEqual(selectChecker(B1()).permission_id('g'), 'B1') self.assertEqual(selectChecker(B2()).permission_id('h'), None) self.assertEqual(selectChecker(S()).permission_id('g'), 'S') self.assertEqual(selectChecker(S()).permission_id('h'), 'S') self.assertEqual(S().g(), 'B1.g') self.assertEqual(S().h(), 'B2.h')
def defineCheckers(): # define the appropriate checker for a FileResource for these tests from zope.security.protectclass import protectName from zope.browserresource.file import FileResource protectName(FileResource, '__call__', 'zope.Public')
def _callFUT(self, class_, name, permission): from zope.security.protectclass import protectName return protectName(class_, name, permission)
age = 10 surname = u"Someone" class TestLayout(Layout): grok.context(interface.Interface) def render(self): return '''<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">''' + ( self.view.content()) # Need to declare security for Zope madness protectName(MyContent, 'age', 'zope.Public') protectName(MyContent, 'surname', 'zope.Public') protectName(MyContent, 'absolute_url', 'zope.Public') # Everybody as edit right, so test are simpler protectSetAttribute(MyContent, 'age', 'zope.Public') protectSetAttribute(MyContent, 'surname', 'zope.Public') class Index(view.View): grok.context(MyContent) def render(self): return "name: {0}; age: {1}".format(self.context.surname, self.context.age)
def testSimpleMethodsPlural(self): protectName(TestModule.test_class, "m1", P1) protectName(TestModule.test_class, "m3", P1) self.assertState(m1P=P1, m3P=P1)
def testSimpleMethodsPlural(self): protectName(TestModule.test_class, 'm1', P1) protectName(TestModule.test_class, 'm3', P1) self.assertState(m1P=P1, m3P=P1)