As per usual the collector won't let me attach patches to issues I
didn't start, so here's the patch for some issues discussed surrounding
1074. Now there are some caveats to this patch... I haven't protected
every method, left to do yet are: manage_FTPget, get_size/getSize
Also note this patch removes dependance on MessageDialog - that really
had no bearing on the issue at hand and I only include that portion of
the patch because in my fork I removed all reliance upon MessageDialog
(a class I really loathed) and I'm too lazy to add it back for the
purposes of this patch.
--
Jamie Heilman http://audible.transient.net/~jamie/
"You came all this way, without saying squat, and now you're trying
to tell me a '56 Chevy can beat a '47 Buick in a dead quarter mile?
I liked you better when you weren't saying squat kid." -Buddy
--- PythonScript.py 22 Mar 2004 16:26:52 -0000 1.56
+++ PythonScript.py 1 May 2004 21:42:49 -0000
@@ -16,11 +16,10 @@
This product provides support for Script objects containing restricted
Python code.
"""
-
__version__='$Revision: 1.56 $'[11:-2]
import sys, os, traceback, re, marshal, new
-from Globals import DTMLFile, MessageDialog, package_home
+from Globals import DTMLFile, package_home
import AccessControl, OFS, RestrictedPython
from Acquisition import aq_parent
from OFS.SimpleItem import SimpleItem
@@ -29,11 +28,11 @@
from webdav.Lockable import ResourceLockedError
from webdav.WriteLockInterface import WriteLockInterface
from Shared.DC.Scripts.Script import Script, BindingsUI, defaultBindings
-from AccessControl import getSecurityManager
+from AccessControl import getSecurityManager, Permissions
from OFS.History import Historical, html_diff
from OFS.Cache import Cacheable
from AccessControl.ZopeGuards import get_safe_globals, guarded_getattr
-from zLOG import LOG, ERROR, INFO, PROBLEM
+from zLOG import LOG, ERROR, INFO
from zExceptions import Forbidden
import Globals
@@ -42,6 +41,11 @@
Python_magic = imp.get_magic()
del imp
+VIEW_PERM = Permissions.view
+MANAGE_PERM = Permissions.view_management_screens
+CHANGE_PERM = Permissions.change_python_scripts
+PROXY_PERM = Permissions.change_proxy_roles
+
# This should only be incremented to force recompilation.
Script_magic = 3
_log_complaint = (
@@ -81,6 +85,8 @@
The function may include standard python code, so long as it does
not attempt to use the "exec" statement or certain restricted builtins.
"""
+ security = AccessControl.ClassSecurityInfo()
+ security.declareObjectProtected(VIEW_PERM)
__implements__ = (WriteLockInterface,)
meta_type='Script (Python)'
@@ -109,24 +115,20 @@
self.ZBindings_edit(defaultBindings)
self._makeFunction()
- security = AccessControl.ClassSecurityInfo()
-
- security.declareObjectProtected('View')
- security.declareProtected('View', '__call__')
-
- security.declareProtected('View management screens',
- 'ZPythonScriptHTML_editForm', 'manage_main', 'read',
- 'ZScriptHTML_tryForm', 'PrincipiaSearchSource',
- 'document_src', 'params', 'body', 'get_filepath')
+ security.declareProtected(VIEW_PERM, "__call__")
+ security.declareProtected(MANAGE_PERM, "ZScriptHTML_tryForm")
+ security.declareProtected(CHANGE_PERM, "manage_historyCopy")
+ security.declareProtected(CHANGE_PERM, "manage_beforeHistoryCopy")
+ security.declareProtected(CHANGE_PERM, "manage_afterHistoryCopy")
+ security.declareProtected(MANAGE_PERM, "manage_main",
+ "ZPythonScriptHTML_editForm")
ZPythonScriptHTML_editForm = DTMLFile('www/pyScriptEdit', globals())
manage = manage_main = ZPythonScriptHTML_editForm
ZPythonScriptHTML_editForm._setName('ZPythonScriptHTML_editForm')
- security.declareProtected('Change Python Scripts',
- 'ZPythonScriptHTML_editAction',
- 'ZPythonScript_setTitle', 'ZPythonScript_edit',
- 'ZPythonScriptHTML_upload', 'ZPythonScriptHTML_changePrefs')
+
+ security.declareProtected(CHANGE_PERM, "ZPythonScriptHTML_editAction")
def ZPythonScriptHTML_editAction(self, REQUEST, title, params, body):
"""Change the script's main parameters."""
self.ZPythonScript_setTitle(title)
@@ -135,12 +137,14 @@
return self.ZPythonScriptHTML_editForm(self, REQUEST,
manage_tabs_message=message)
+ security.declareProtected(CHANGE_PERM, "ZPythonScript_setTitle")
def ZPythonScript_setTitle(self, title):
title = str(title)
if self.title != title:
self.title = title
self.ZCacheable_invalidate()
+ security.declareProtected(CHANGE_PERM, "ZPythonScript_edit")
def ZPythonScript_edit(self, params, body):
self._validateProxy()
if self.wl_isLocked():
@@ -151,6 +155,7 @@
self._params = str(params)
self.write(body)
+ security.declareProtected(CHANGE_PERM, "ZPythonScriptHTML_upload")
def ZPythonScriptHTML_upload(self, REQUEST, file=''):
"""Replace the body of the script with the text in file."""
if self.wl_isLocked():
@@ -165,6 +170,7 @@
return self.ZPythonScriptHTML_editForm(self, REQUEST,
manage_tabs_message=message)
+ security.declareProtected(CHANGE_PERM, "ZPythonScriptHTML_changePrefs")
def ZPythonScriptHTML_changePrefs(self, REQUEST, height=None, width=None,
dtpref_cols="100%", dtpref_rows="20"):
"""Change editing preferences."""
@@ -188,7 +194,6 @@
return self.manage_main(self, REQUEST)
def ZScriptHTML_tryParams(self):
- """Parameters to test the script with."""
param_names = []
for name in self._params.split(','):
@@ -326,10 +331,12 @@
self.ZCacheable_set(result, keywords=keyset)
return result
+ security.declarePrivate("manage_afterAdd")
def manage_afterAdd(self, item, container):
if item is self:
self._filepath = self.get_filepath()
+ security.declarePublic("get_filepath")
def get_filepath(self):
return self.meta_type + ':' + '/'.join(self.getPhysicalPath())
@@ -345,9 +352,7 @@
'because you do not have proxy roles.\n<!--%s, %s-->'
% (self.id, user, roles))
- security.declareProtected('Change proxy roles',
- 'manage_proxyForm', 'manage_proxy')
-
+ security.declareProtected(PROXY_PERM, "manage_proxyForm", "manage_proxy")
manage_proxyForm = DTMLFile('www/pyScriptProxy', globals())
def manage_proxy(self, roles=(), REQUEST=None):
"Change Proxy Roles"
@@ -355,16 +360,11 @@
self._validateProxy()
self.ZCacheable_invalidate()
self._proxy_roles=tuple(roles)
- if REQUEST: return MessageDialog(
- title ='Success!',
- message='Your changes have been saved',
- action ='manage_main')
-
- security.declareProtected('Change Python Scripts',
- 'PUT', 'manage_FTPput', 'write',
- 'manage_historyCopy',
- 'manage_beforeHistoryCopy', 'manage_afterHistoryCopy')
+ message = "Saved changes."
+ return message is None and message or self.ZPythonScriptHTML_editForm(
+ self, REQUEST, manage_tabs_message=message)
+ security.declareProtected(CHANGE_PERM, "PUT")
def PUT(self, REQUEST, RESPONSE):
""" Handle HTTP PUT requests """
self.dav__init(REQUEST, RESPONSE)
@@ -375,6 +375,7 @@
manage_FTPput = PUT
+ security.declareProtected(CHANGE_PERM, "write")
def write(self, text):
""" Change the Script by parsing a read()-style source text. """
self._validateProxy()
@@ -448,6 +449,7 @@
m['bind '+k] = bindmap.get(v, '')
return m
+ security.declareProtected(MANAGE_PERM, "read")
def read(self):
""" Generate a text representation of the Script source.
@@ -477,18 +479,21 @@
hlines.append('')
return ('\n' + prefix).join(hlines) + '\n' + self._body
+ security.declareProtected(MANAGE_PERM, "params", "body")
def params(self): return self._params
def body(self): return self._body
+
def get_size(self): return len(self.read())
getSize = get_size
+ security.declareProtected(MANAGE_PERM, "PrincipiaSearchSource")
def PrincipiaSearchSource(self):
"Support for searching - the document's contents are searched."
return "%s\n%s" % (self._params, self._body)
+ security.declareProtected(MANAGE_PERM, "document_src")
def document_src(self, REQUEST=None, RESPONSE=None):
"""Return unprocessed document source."""
-
if RESPONSE is not None:
RESPONSE.setHeader('Content-Type', 'text/plain')
return self.read()
_______________________________________________
Zope-Dev maillist - [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )
