Add back proxy role support.

a6dfb8ec · Hanno Schlichting · 7b8e55c4 · a6dfb8ec · a6dfb8ec · a6dfb8ec
Commit a6dfb8ec authored Oct 30, 2016 by Hanno Schlichting
4 changed files
--- a/src/OFS/DTMLDocument.py
+++ b/src/OFS/DTMLDocument.py
@@ -51,6 +51,7 @@ class DTMLDocument(PropertyManager, DTMLMethod):
    def manage_upload(self, file='', REQUEST=None):
        """ Replace the contents of the document with the text in 'file'.
        """
+        self._validateProxy(REQUEST)
        if self.wl_isLocked():
            raise ResourceLockedError('This document has been locked.')

--- a/src/OFS/DTMLMethod.py
+++ b/src/OFS/DTMLMethod.py
@@ -19,13 +19,16 @@ from AccessControl.class_init import InitializeClass
 from AccessControl.SecurityInfo import ClassSecurityInfo
 from AccessControl import getSecurityManager
 from AccessControl.Permissions import view_management_screens
+from AccessControl.Permissions import change_proxy_roles
 from AccessControl.Permissions import view as View  # NOQA
 from AccessControl.Permissions import ftp_access
+from AccessControl.requestmethod import requestmethod
 from AccessControl.tainted import TaintedString
 from Acquisition import Implicit
 from DocumentTemplate.permissions import change_dtml_methods
 from DocumentTemplate.security import RestrictedDTML
 from six.moves.urllib.parse import quote
+from zExceptions import Forbidden
 from zExceptions import Redirect
 from zExceptions import ResourceLockedError
 from zExceptions.TracebackSupplement import PathTracebackSupplement
@@ -59,6 +62,7 @@ class DTMLMethod(RestrictedDTML,
    """ DocumentTemplate.HTML objects that act as methods of their containers.
    """
    meta_type = 'DTML Method'
+    _proxy_roles = ()
    index_html = None  # Prevent accidental acquisition
    _cache_namespace_keys = ()
@@ -72,6 +76,7 @@ class DTMLMethod(RestrictedDTML,
    manage_options = ((
        {'label': 'Edit', 'action': 'manage_main'},
+        {'label': 'Proxy', 'action': 'manage_proxyForm'},
    ) +
        RoleManager.manage_options +
        Item_w__name__.manage_options +
@@ -229,10 +234,14 @@ class DTMLMethod(RestrictedDTML,
    security.declareProtected(change_dtml_methods, 'manage_main')
    manage = manage_main = manage_editDocument = manage_editForm
+    security.declareProtected(change_proxy_roles, 'manage_proxyForm')
+    manage_proxyForm = DTMLFile('dtml/documentProxy', globals())
    security.declareProtected(change_dtml_methods, 'manage_edit')
    def manage_edit(self, data, title, SUBMIT='Change', REQUEST=None):
        """ Replace contents with 'data', title with 'title'.
        """
+        self._validateProxy(REQUEST)
        if self.wl_isLocked():
            raise ResourceLockedError('This item is locked.')
@@ -251,6 +260,7 @@ class DTMLMethod(RestrictedDTML,
    def manage_upload(self, file='', REQUEST=None):
        """ Replace the contents of the document with the text in 'file'.
        """
+        self._validateProxy(REQUEST)
        if self.wl_isLocked():
            raise ResourceLockedError('This DTML Method is locked.')
@@ -265,6 +275,41 @@ class DTMLMethod(RestrictedDTML,
            message = "Saved changes."
            return self.manage_main(self, REQUEST, manage_tabs_message=message)
+    def manage_haveProxy(self, r):
+        return r in self._proxy_roles
+    def _validateProxy(self, request, roles=None):
+        if roles is None:
+            roles = self._proxy_roles
+        if not roles:
+            return
+        user = u = getSecurityManager().getUser()
+        user = user.allowed
+        for r in roles:
+            if r and not user(self, (r,)):
+                user = None
+                break
+        if user is not None:
+            return
+        raise Forbidden(
+            'You are not authorized to change <em>%s</em> because you '
+            'do not have proxy roles.\n<!--%s, %s-->' % (
+                self.__name__, u, roles))
+    security.declareProtected(change_proxy_roles, 'manage_proxy')
+    @requestmethod('POST')
+    def manage_proxy(self, roles=(), REQUEST=None):
+        "Change Proxy Roles"
+        self._validateProxy(REQUEST, roles)
+        self._validateProxy(REQUEST)
+        self._proxy_roles = tuple(roles)
+        if REQUEST:
+            message = "Saved changes."
+            return self.manage_proxyForm(self, REQUEST,
+                                         manage_tabs_message=message)
    security.declareProtected(view_management_screens, 'PrincipiaSearchSource')
    def PrincipiaSearchSource(self):
        # Support for searching - the document's contents are searched.
@@ -285,6 +330,7 @@ class DTMLMethod(RestrictedDTML,
            self.dav__init(REQUEST, RESPONSE)
            self.dav__simpleifhandler(REQUEST, RESPONSE, refresh=1)
            body = REQUEST.get('BODY', '')
+            self._validateProxy(REQUEST)
            self.munge(body)
            self.ZCacheable_invalidate()
            RESPONSE.setStatus(204)

--- a/src/OFS/dtml/documentProxy.dtml
+++ b/src/OFS/dtml/documentProxy.dtml
+<dtml-var manage_page_header>
+<dtml-with "_(management_view='Proxy')">
+<dtml-var manage_tabs>
+</dtml-with>
+<p class="form-help">
+Proxy roles allow you to control the access that a DTML document or
+method has. Proxy roles replace the roles of the user who is viewing
+the document or method.  This can be used to both expand and limit
+access to resources. Select the proxy roles for this object from 
+the list below.
+</p>
+<form action="manage_proxy" method="post">
+<table cellpadding="2" cellspacing="0" border="0">
+<tr>
+<tr>
+  <td align="left" valign="top">
+  <div class="form-label">
+  Proxy Roles
+  </div>
+  </td>
+  <td align="left" valign="top">
+  <div class="form-element">
+  <select name="roles:list" size="7" multiple>
+  <dtml-in valid_roles>
+  <dtml-if expr="_vars['sequence-item'] != 'Shared'">
+  <option <dtml-if 
+   expr="manage_haveProxy(_vars['sequence-item'])">selected</dtml-if
+  >>&dtml-sequence-item;</option>
+  </dtml-if>
+  </dtml-in valid_roles>
+  </select>
+  </div>
+  </td>
+</tr>
+<tr>
+  <td align="left" valign="top" colspan="2">
+  <div class="form-element">
+  <input class="form-element" type="submit" name="SUBMIT" value="Save Changes">
+  </div>
+  </td>
+</tr>
+</table>
+</form>
+<dtml-var manage_page_footer>
--- a/src/OFS/dtml/owner.dtml
+++ b/src/OFS/dtml/owner.dtml
@@ -4,7 +4,8 @@
 <p class="form-help">
 Almost all Zope objects can be owned. When you create an object you
 become its owner. Ownership matters for method objects since
-it determines what roles they have when they are executed.
+it determines what roles they have when they are executed. See the
+<em>Proxy Roles</em> view of method objects for more information.
 </p>
 <p>