def protect_getattr(class_, name, permission=None):
"""Install a getattr permission check for the attribute ``name``.
If ``permission`` is not supplied, access will be public.
"""
permission = check_or_default_permission(class_, permission)
protectName(class_, name, permission)
def protect_getattr(class_, name, permission=None):
"""Install a getattr permission check for the attribute ``name``.
If ``permission`` is not supplied, access will be public.
"""
permission = check_or_default_permission(class_, permission)
protectName(class_, name, permission)
def testLikeUntoOnly(self):
protectName(TestModule.test_base, "m1", P1)
protectName(TestModule.test_base, "m2", P1)
protectSetAttribute(TestModule.test_base, "m1", P1)
protectSetAttribute(TestModule.test_base, "m2", P1)
protectLikeUnto(TestModule.test_class, TestModule.test_base)
# m1 and m2 are in the interface, so should be set, and m3 should not:
self.assertState(m1P=P1, m2P=P1)
self.assertSetattrState(m1P=P1, m2P=P1)
def testLikeUntoOnly(self):
protectName(TestModule.test_base, 'm1', P1)
protectName(TestModule.test_base, 'm2', P1)
protectSetAttribute(TestModule.test_base, 'm1', P1)
protectSetAttribute(TestModule.test_base, 'm2', P1)
protectLikeUnto(TestModule.test_class, TestModule.test_base)
# m1 and m2 are in the interface, so should be set, and m3 should not:
self.assertState(m1P=P1, m2P=P1)
self.assertSetattrState(m1P=P1, m2P=P1)
def _protect(cls, protect=None, like_class=None):
"""Register security protections for cls, as per protect/like_class.
Constraint: cls must be a type, class or module.
Attempt to reset to a different permission on a name raises an error.
The protect parameter is a dictionary that can can specify whatever
a sequence of class/require zcml directives may specify (except for
the non-compatible like_class, that if needed may be provided as a
spearate parameter):
protect:{
permission:str: {
attributes:[str],
set_attributes:[str], # tbd, zope.security.metaconfigure
interface:Interface,
set_schema:Interface # tbd
}
}
like_class: either(type, class, module)
"""
assert protect is not None or like_class is not None, \
"[%s] params protect [%s] or like_class [%s] may not be both None." % (
cls, protect, like_class)
assert protect is None or like_class is None, \
"[%s] One of params protect [%s] or like_class [%s] must be None." % (
cls, protect, like_class)
if like_class is not None:
protectclass.protectLikeUnto(cls, like_class)
return
for permission in protect:
interface = protect[permission].get("interface")
if interface:
for attr, d in interface.namesAndDescriptions(1):
protectclass.protectName(cls, attr, permission)
attributes = protect[permission].get("attributes")
if attributes:
for attr in attributes:
# retrieve cls checker on each attr (may not be defined on first)
checker = protectclass.getCheckerForInstancesOf(cls)
if checker is not None:
previous_permission = checker.get_permissions.get(attr)
if previous_permission is not None:
assert previous_permission == permission, \
"Cannot change protection of class [%s] " \
"attribute [%s] from [%s] to [%s]" % (
cls, attr, previous_permission, permission)
continue
protectclass.protectName(cls, attr, permission)
def _protect(cls, protect=None, like_class=None):
"""Register security protections for cls, as per protect/like_class.
Constraint: cls must be a type, class or module.
Attempt to reset to a different permission on a name raises an error.
The protect parameter is a dictionary that can can specify whatever
a sequence of class/require zcml directives may specify (except for
the non-compatible like_class, that if needed may be provided as a
spearate parameter):
protect:{
permission:str: {
attributes:[str],
set_attributes:[str], # tbd, zope.security.metaconfigure
interface:Interface,
set_schema:Interface # tbd
}
}
like_class: either(type, class, module)
"""
assert protect is not None or like_class is not None, \
"[%s] params protect [%s] or like_class [%s] may not be both None." % (
cls, protect, like_class)
assert protect is None or like_class is None, \
"[%s] One of params protect [%s] or like_class [%s] must be None." % (
cls, protect, like_class)
if like_class is not None:
protectclass.protectLikeUnto(cls, like_class)
return
for permission in protect:
interface = protect[permission].get("interface")
if interface:
for attr, d in interface.namesAndDescriptions(1):
protectclass.protectName(cls, attr, permission)
attributes = protect[permission].get("attributes")
if attributes:
for attr in attributes:
# retrieve cls checker on each attr (may not be defined on first)
checker = protectclass.getCheckerForInstancesOf(cls)
if checker is not None:
previous_permission = checker.get_permissions.get(attr)
if previous_permission is not None:
assert previous_permission == permission, \
"Cannot change protection of class [%s] " \
"attribute [%s] from [%s] to [%s]" % (
cls, attr, previous_permission, permission)
continue
protectclass.protectName(cls, attr, permission)
def testLikeUntoAsDefault(self):
protectName(TestModule.test_base, 'm1', P1)
protectName(TestModule.test_base, 'm2', P1)
protectSetAttribute(TestModule.test_base, 'm1', P1)
protectSetAttribute(TestModule.test_base, 'm2', P1)
protectLikeUnto(TestModule.test_class, TestModule.test_base)
protectName(TestModule.test_class, 'm2', P2)
protectName(TestModule.test_class, 'm3', P2)
protectSetAttribute(TestModule.test_class, 'm2', P2)
protectSetAttribute(TestModule.test_class, 'm3', P2)
# m1 and m2 are in the interface, so should be set, and m3 should not:
self.assertState(m1P=P1, m2P=P2, m3P=P2)
self.assertSetattrState(m1P=P1, m2P=P2, m3P=P2)
def testInherited(self):
class B1(object):
def g(self): return 'B1.g'
class B2(object):
def h(self): return 'B2.h'
class S(B1, B2):
pass
component.provideUtility(Permission('B1', ''), IPermission, 'B1')
component.provideUtility(Permission('S', ''), IPermission, 'S')
protectName(B1, 'g', 'B1')
protectName(S, 'g', 'S')
protectName(S, 'h', 'S')
self.assertEqual(selectChecker(B1()).permission_id('g'), 'B1')
self.assertEqual(selectChecker(B2()).permission_id('h'), None)
self.assertEqual(selectChecker(S()).permission_id('g'), 'S')
self.assertEqual(selectChecker(S()).permission_id('h'), 'S')
self.assertEqual(S().g(), 'B1.g')
self.assertEqual(S().h(), 'B2.h')
def defineCheckers():
# define the appropriate checker for a FileResource for these tests
from zope.security.protectclass import protectName
from zope.browserresource.file import FileResource
protectName(FileResource, '__call__', 'zope.Public')
def _callFUT(self, class_, name, permission):
from zope.security.protectclass import protectName
return protectName(class_, name, permission)
age = 10
surname = u"Someone"
class TestLayout(Layout):
grok.context(interface.Interface)
def render(self):
return '''<!DOCTYPE HTML PUBLIC
"-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">''' + (
self.view.content())
# Need to declare security for Zope madness
protectName(MyContent, 'age', 'zope.Public')
protectName(MyContent, 'surname', 'zope.Public')
protectName(MyContent, 'absolute_url', 'zope.Public')
# Everybody as edit right, so test are simpler
protectSetAttribute(MyContent, 'age', 'zope.Public')
protectSetAttribute(MyContent, 'surname', 'zope.Public')
class Index(view.View):
grok.context(MyContent)
def render(self):
return "name: {0}; age: {1}".format(self.context.surname,
self.context.age)
def testSimpleMethodsPlural(self):
protectName(TestModule.test_class, "m1", P1)
protectName(TestModule.test_class, "m3", P1)
self.assertState(m1P=P1, m3P=P1)
def testSimpleMethodsPlural(self):
protectName(TestModule.test_class, 'm1', P1)
protectName(TestModule.test_class, 'm3', P1)
self.assertState(m1P=P1, m3P=P1)
def defineCheckers():
# define the appropriate checker for a FileResource for these tests
from zope.security.protectclass import protectName
from zope.browserresource.file import FileResource
protectName(FileResource, '__call__', 'zope.Public')
def _callFUT(self, class_, name, permission):
from zope.security.protectclass import protectName
return protectName(class_, name, permission)
