Merge pull request #29 from zopefoundation/lp1465432-backport_end_interaction

WSGI begin / end interaction fixes

doc/CHANGES.rst

@@ -8,6 +8,9 @@ http://docs.zope.org/zope2/
 2.13.23 (unreleased)
 --------------------
 
+- LP #1465432:  Ensure that WSGIPublisher starts / ends interaction at
+  request boundaries (analogous to ZPublisher).  Backport from master.
+
 - Fix: Queue additional warning filters at the beginning of the queue in order
   to allow overrides.
 
@@ -181,6 +184,11 @@ http://docs.zope.org/zope2/
   Ported the ``shiftNameToApplication`` implementation from zope.publisher to
   ZPublisher.HTTPRequest.HTTPRequest.
 
+- Ensure that the ``WSGIPublisher`` begins and ends an *interaction*
+  at the request/response barrier. This is required for instance for
+  the ``checkPermission`` call to function without an explicit
+  ``interaction`` parameter.
+
 - Ensure that ObjectManager's ``get`` and ``__getitem__`` methods return only
   "items" (no attributes / methods from the class or from acquisition).
   Thanks to Richard Mitchell at Netsight for the report.

src/ZPublisher/WSGIPublisher.py

@@ -19,6 +19,7 @@ import transaction
 from zExceptions import Redirect
 from zExceptions import Unauthorized
 from zope.event import notify
+from zope.security.management import newInteraction, endInteraction
 from zope.publisher.skinnable import setDefaultSkin
 from ZServer.medusa.http_date import build_http_date
 
@@ -165,45 +166,49 @@ def publish(request, module_name,
     ) = _get_module_info(module_name)
 
     notify(PubStart(request))
-    request.processInputs()
-    response = request.response
-
-    if bobo_after is not None:
-        response.after_list += (bobo_after,)
-
-    if debug_mode:
-        response.debug_mode = debug_mode
-
-    if realm and not request.get('REMOTE_USER', None):
-        response.realm = realm
-
-    if bobo_before is not None:
-        bobo_before()
-
-    # Get the path list.
-    # According to RFC1738 a trailing space in the path is valid.
-    path = request.get('PATH_INFO')
-
-    request['PARENTS'] = [object]
-    object = request.traverse(path, validated_hook=validated_hook)
-    notify(PubAfterTraversal(request))
-
-    if transactions_manager:
-        transactions_manager.recordMetaData(object, request)
-
-    result = mapply(object,
-                    request.args,
-                    request,
-                    call_object,
-                    1,
-                    missing_name,
-                    dont_publish_class,
-                    request,
-                    bind=1,
-                    )
-
-    if result is not response:
-        response.setBody(result)
+    newInteraction()
+    try:
+        request.processInputs()
+        response = request.response
+
+        if bobo_after is not None:
+            response.after_list += (bobo_after,)
+
+        if debug_mode:
+            response.debug_mode = debug_mode
+
+        if realm and not request.get('REMOTE_USER', None):
+            response.realm = realm
+
+        if bobo_before is not None:
+            bobo_before()
+
+        # Get the path list.
+        # According to RFC1738 a trailing space in the path is valid.
+        path = request.get('PATH_INFO')
+
+        request['PARENTS'] = [object]
+        object = request.traverse(path, validated_hook=validated_hook)
+        notify(PubAfterTraversal(request))
+
+        if transactions_manager:
+            transactions_manager.recordMetaData(object, request)
+
+        result = mapply(object,
+                        request.args,
+                        request,
+                        call_object,
+                        1,
+                        missing_name,
+                        dont_publish_class,
+                        request,
+                        bind=1,
+                        )
+
+        if result is not response:
+            response.setBody(result)
+    finally:
+        endInteraction()
 
     notify(PubBeforeCommit(request))
     return response