Commit 2564c5f3 authored by Hanno Schlichting's avatar Hanno Schlichting

LP #578326: Issue a warning if someone specifies a non-public permission...

LP #578326: Issue a warning if someone specifies a non-public permission attribute in the browser:view directive. This attribute has never been supported in Zope 2. This should at least make it obvious where people might have been relying on false security assumptions.
parent b2b85073
...@@ -11,6 +11,9 @@ http://docs.zope.org/zope2/releases/. ...@@ -11,6 +11,9 @@ http://docs.zope.org/zope2/releases/.
Bugs Fixed Bugs Fixed
++++++++++ ++++++++++
- LP #578326: Issue a warning if someone specifies a non-public permission
attribute in the browser:view directive. This attribute has never been
supported in Zope 2.
2.12.8 (2010-06-25) 2.12.8 (2010-06-25)
......
...@@ -42,7 +42,7 @@ ...@@ -42,7 +42,7 @@
<meta:complexDirective <meta:complexDirective
name="view" name="view"
schema="zope.app.publisher.browser.metadirectives.IViewDirective" schema=".metaconfigure.IFiveViewDirective"
handler=".metaconfigure.view" handler=".metaconfigure.view"
> >
......
...@@ -20,6 +20,7 @@ $Id$ ...@@ -20,6 +20,7 @@ $Id$
""" """
import os import os
from inspect import ismethod from inspect import ismethod
import warnings
from zope import component from zope import component
from zope.interface import implements from zope.interface import implements
...@@ -31,6 +32,7 @@ from zope.publisher.interfaces import NotFound ...@@ -31,6 +32,7 @@ from zope.publisher.interfaces import NotFound
from zope.publisher.interfaces.browser import IDefaultBrowserLayer from zope.publisher.interfaces.browser import IDefaultBrowserLayer
from zope.publisher.interfaces.browser import IBrowserPublisher from zope.publisher.interfaces.browser import IBrowserPublisher
from zope.publisher.interfaces.browser import IBrowserRequest from zope.publisher.interfaces.browser import IBrowserRequest
from zope.security.zcml import Permission
import zope.app.publisher.browser.viewmeta import zope.app.publisher.browser.viewmeta
from zope.app.publisher.browser.viewmeta import providesCallable from zope.app.publisher.browser.viewmeta import providesCallable
...@@ -177,8 +179,44 @@ class pages(zope.app.publisher.browser.viewmeta.pages): ...@@ -177,8 +179,44 @@ class pages(zope.app.publisher.browser.viewmeta.pages):
# view (named view with pages) # view (named view with pages)
from zope.app.publisher.browser.metadirectives import IViewDirective
class IFiveViewDirective(IViewDirective):
permission = Permission(
title=u"Permission",
description=u"The permission needed to use the view.",
required=False,
)
class view(zope.app.publisher.browser.viewmeta.view): class view(zope.app.publisher.browser.viewmeta.view):
# Let the permission default to zope.Public and not be required
# We should support this, as more users are expecting it to work.
def __init__(self, _context, for_, permission=None,
name='', layer=IDefaultBrowserLayer, class_=None,
allowed_interface=None, allowed_attributes=None,
menu=None, title=None, provides=Interface,
):
if permission is None:
permission = 'zope.Public'
elif permission in ('zope.Public', 'zope2.Public'):
# No need to warn about the default case
pass
else:
warnings.warn("The permission option of the <browser:view /> "
"directive is not supported in Zope 2. " + \
"Ignored for %s in %s" %
(str(class_), _context.info), stacklevel=3)
super(view, self).__init__(
_context, for_, permission=permission, name=name, layer=layer,
class_=class_, allowed_interface=allowed_interface,
allowed_attributes=allowed_attributes, menu=menu, title=title,
provides=provides)
def __call__(self): def __call__(self):
(_context, name, for_, permission, layer, class_, (_context, name, for_, permission, layer, class_,
allowed_interface, allowed_attributes) = self.args allowed_interface, allowed_attributes) = self.args
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment