Moved security related ZCML configuration into the AccessControl package.

d5f46b74 · Hanno Schlichting · 1bca2144 · d5f46b74 · d5f46b74 · d5f46b74
Commit d5f46b74 authored Dec 31, 2009 by Hanno Schlichting
8 changed files
--- a/doc/CHANGES.rst
+++ b/doc/CHANGES.rst
@@ -35,7 +35,8 @@ Restructuring
 - Removed experimental support for configuring the Twisted HTTP server
  as an alternative to ``ZServer``.

- Moved ``Products/Five/security.py`` into the AccessControl package.
+- Moved ``Products/Five/security.py`` and security related ZCML configuration
+  into the AccessControl package.

 - Moved ``Products/Five/traversing.zcml`` directly into the configure.zcml.


--- a/src/AccessControl/meta.zcml
+++ b/src/AccessControl/meta.zcml
+<configure
+    xmlns="http://namespaces.zope.org/zope"
+    xmlns:meta="http://namespaces.zope.org/meta">
+
+  <include package="zope.component" file="meta.zcml" />
+  <include package="zope.security" file="meta.zcml" />
+
+  <meta:directives namespace="http://namespaces.zope.org/zope">
+
+    <meta:complexDirective
+        name="class"
+        schema="zope.security.metadirectives.IClassDirective"
+        handler=".metaconfigure.ClassDirective"
+        >
+
+      <meta:subdirective
+          name="implements"
+          schema="zope.security.metadirectives.IImplementsSubdirective"
+          />
+
+      <meta:subdirective
+          name="require"
+          schema="zope.security.metadirectives.IRequireSubdirective"
+          />
+
+      <meta:subdirective
+          name="allow"
+          schema="zope.security.metadirectives.IAllowSubdirective"
+          />
+
+    </meta:complexDirective>
+
+    <meta:directive
+        name="securityPolicy"
+        schema="zope.security.zcml.ISecurityPolicyDirective"
+        handler="zope.security.zcml.securityPolicy"
+        />
+
+  </meta:directives>
+
+</configure>
--- a/src/AccessControl/metaconfigure.py
+++ b/src/AccessControl/metaconfigure.py
+##############################################################################
+#
+# Copyright (c) 2004, 2005 Zope Corporation and Contributors.
+# All Rights Reserved.
+#
+# This software is subject to the provisions of the Zope Public License,
+# Version 2.1 (ZPL).  A copy of the ZPL should accompany this distribution.
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED
+# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
+# FOR A PARTICULAR PURPOSE.
+#
+##############################################################################
+
+import warnings
+from zope.security import metaconfigure
+from AccessControl.security import protectName
+from App.class_init import InitializeClass
+
+class ClassDirective(metaconfigure.ClassDirective):
+
+    def __protectName(self, name, permission_id):
+        self.__context.action(
+            discriminator = ('five:protectName', self.__class, name),
+            callable = protectName,
+            args = (self.__class, name, permission_id)
+            )
+
+    def __protectSetAttributes(self, names, permission_id):
+        warnings.warn("The set_attribute option of the <require /> directive "
+                      "is not supported in Zope 2. "
+                      "Ignored for %s" % str(self.__class), stacklevel=3)
+
+    def __protectSetSchema(self, schema, permission):
+        warnings.warn("The set_schema option of the <require /> directive "
+                      "is not supported in Zope 2. "
+                      "Ignored for %s" % str(self.__class), stacklevel=3)
+
+    def __mimic(self, _context, class_):
+        warnings.warn("The like_class option of the <require /> directive "
+                      "is not supported in Zope 2. "
+                      "Ignored for %s" % str(self.__class), stacklevel=3)
+
+    def __call__(self):
+        return self.__context.action(
+            discriminator = None,
+            callable = InitializeClass,
+            args = (self.__class,)
+            )
--- a/src/Products/Five/tests/test_security.py
+++ b/src/Products/Five/tests/test_security.py
--- a/src/Products/Five/browser/tests/test_zope3security.py
+++ b/src/Products/Five/browser/tests/test_zope3security.py

 def test_check_permission():
-    """Code (in Zope 3) often uses
+    """Code (in Zope packages) often uses
    zope.security.management.checkPermission to determine whether the
-    current user has a certain permission in a given context.  Five
+    current user has a certain permission in a given context. Five
    inserts its own interaction that assures that such calls still
    work.
-    
+
      >>> configure_zcml = '''
      ... <configure 
      ...     xmlns="http://namespaces.zope.org/zope"
@@ -53,6 +53,80 @@ def test_check_permission():

    """

+def test_allowed_interface():
+    """This test demonstrates that allowed_interface security declarations work
+    as expected.
+
+      >>> from zope.component.testing import setUp, tearDown
+      >>> setUp()
+
+    Before we can make security declarations through ZCML, we need to
+    register the directive and the permission:
+
+      >>> import AccessControl
+      >>> from zope.configuration.xmlconfig import XMLConfig
+      >>> XMLConfig('meta.zcml', AccessControl)()
+      >>> import Products.Five.browser
+      >>> XMLConfig('meta.zcml', Products.Five.browser)()
+      >>> XMLConfig('permissions.zcml', AccessControl)()
+
+    Now we provide some ZCML declarations for ``Dummy1``:
+
+      >>> from StringIO import StringIO
+      >>> configure_zcml = StringIO('''
+      ... <configure xmlns="http://namespaces.zope.org/zope"
+      ...            xmlns:browser="http://namespaces.zope.org/browser">
+      ...   <browser:page
+      ...       for="*"
+      ...       name="testview"
+      ...       permission="zope2.ViewManagementScreens"
+      ...       class="AccessControl.tests.testZCML.Dummy1"
+      ...       allowed_interface="AccessControl.tests.testZCML.IDummy" />
+      ... </configure>
+      ... ''')
+      >>> from zope.configuration.xmlconfig import xmlconfig
+      >>> xmlconfig(configure_zcml)
+
+    We are going to check that roles are correctly setup, so we need getRoles.
+
+      >>> from AccessControl.ZopeSecurityPolicy import getRoles
+      >>> from AccessControl import ACCESS_PRIVATE
+
+    Due to the nasty voodoo involved in Five's handling of view classes,
+    browser:page doesn't apply security to Dummy1, but rather to the "magic"
+    view class that is created at ZCML parse time.  That means we can't just
+    instanciate with Dummy1() directly and expect a security-aware instance :(.
+    Instead, we'll have to actually lookup the view.  The view was declared for
+    "*", so we just use an instance of Dummy1 ;-).
+
+    Instanciate a Dummy1 object to test with.
+
+      >>> from AccessControl.tests.testZCML import Dummy1
+      >>> dummy1 = Dummy1()
+      >>> from zope.component import getMultiAdapter
+      >>> from zope.publisher.browser import TestRequest
+      >>> request = TestRequest()
+      >>> view = getMultiAdapter((dummy1, request), name="testview")
+
+    As 'foo' is defined in IDummy, it should have the 'Manager' role.
+
+      >>> getRoles(view, 'foo', view.foo, ('Def',))
+      ('Manager',)
+
+    As 'wot' is not defined in IDummy, it should be private.
+
+      >>> getRoles(view, 'wot', view.wot, ('Def',)) is ACCESS_PRIVATE
+      True
+
+    But 'superMethod' is defined on IDummy by inheritance from ISuperDummy, and
+    so should have the 'Manager' role setup.
+
+      >>> getRoles(view, 'superMethod', view.superMethod, ('Def',))
+      ('Manager',)
+
+      >>> tearDown()
+    """
+
 def test_suite():
    from Testing.ZopeTestCase import FunctionalDocTestSuite
    from zope.testing.doctest import ELLIPSIS

--- a/src/Products/Five/browser/tests/zope3security.py
+++ b/src/Products/Five/browser/tests/zope3security.py
-from Products.Five import BrowserView
+from zope.publisher.browser import BrowserView
 from zope.security.management import checkPermission

 class Zope3SecurityView(BrowserView):

--- a/src/Products/Five/meta.zcml
+++ b/src/Products/Five/meta.zcml
@@ -2,8 +2,8 @@
    xmlns="http://namespaces.zope.org/zope"
    xmlns:meta="http://namespaces.zope.org/meta">

+  <include package="AccessControl" file="meta.zcml" />
  <include package="zope.component" file="meta.zcml" />
-  <include package="zope.security" file="meta.zcml" />
  <include package="zope.i18n" file="meta.zcml" />

  <include package=".browser" file="meta.zcml" />
@@ -17,35 +17,6 @@
        handler="zope.component.zcml.view"
        />

-    <meta:complexDirective
-        name="class"
-        schema="zope.security.metadirectives.IClassDirective"
-        handler=".metaconfigure.ClassDirective"
-        >
-
-      <meta:subdirective
-          name="implements"
-          schema="zope.security.metadirectives.IImplementsSubdirective"
-          />
-
-      <meta:subdirective
-          name="require"
-          schema="zope.security.metadirectives.IRequireSubdirective"
-          />
-
-      <meta:subdirective
-          name="allow"
-          schema="zope.security.metadirectives.IAllowSubdirective"
-          />
-
-    </meta:complexDirective>
-
-    <meta:directive
-        name="securityPolicy"
-        schema="zope.security.zcml.ISecurityPolicyDirective"
-        handler="zope.security.zcml.securityPolicy"
-        />
-
  </meta:directives>

  <meta:directives namespace="http://namespaces.zope.org/five">

--- a/src/Products/Five/metaconfigure.py
+++ b/src/Products/Five/metaconfigure.py
-##############################################################################
-#
-# Copyright (c) 2004, 2005 Zope Corporation and Contributors.
-# All Rights Reserved.
-#
-# This software is subject to the provisions of the Zope Public License,
-# Version 2.1 (ZPL).  A copy of the ZPL should accompany this distribution.
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED
-# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
-# FOR A PARTICULAR PURPOSE.
-#
-##############################################################################
-"""Generic Components ZCML Handlers
-
-$Id$
-"""
-import warnings
-from zope.security import metaconfigure
-from AccessControl.security import protectName
-from App.class_init import InitializeClass
-
-class ClassDirective(metaconfigure.ClassDirective):
-
-    def __protectName(self, name, permission_id):
-        self.__context.action(
-            discriminator = ('five:protectName', self.__class, name),
-            callable = protectName,
-            args = (self.__class, name, permission_id)
-            )
-
-    def __protectSetAttributes(self, names, permission_id):
-        warnings.warn("The set_attribute option of the <require /> directive is not supported in Zope 2. " + \
-                      "Ignored for %s" % str(self.__class), stacklevel=3)
-
-    def __protectSetSchema(self, schema, permission):
-        warnings.warn("The set_schema option of the <require /> directive is not supported in Zope 2. " + \
-                      "Ignored for %s" % str(self.__class), stacklevel=3)
-
-    def __mimic(self, _context, class_):
-        warnings.warn("The like_class option of the <require /> directive is not supported in Zope 2. " + \
-                      "Ignored for %s" % str(self.__class), stacklevel=3)
-
-    def __call__(self):
-        return self.__context.action(
-            discriminator = None,
-            callable = InitializeClass,
-            args = (self.__class,)
-            )
+# BBB
+from AccessControl.metaconfigure import ClassDirective