[Archetypes-users] securing methods in Plone 4
Joe Bigler
I am trying to update an AGX product originally written for Plone 2.5 to
Plone 4.0.2 now using AGX 2.5 and ArgoUML 28.1. I have several methods that
I am trying to update the security on. Here is an example:
# Methods
security.declareProtected(View, 'Title')
def Title(self):
""" Return the semester and year as title. """
return self.getSemester() + " " + str(self.getYear())
The method Title(self) works fine, but I can't use the
security.declareProtected(View, 'Title'). If I do, the product can be
installed, but does not appear in the add drop down menu at all. As soon as
I comment out that line, it appears and works fine.
I am not a Python programmer. I understand there is a new approach to
security in Plone 3 and 4. In the article at
http://plone.org/documentation/manual/plone-community-developer-documentation/security-1/code
it talks about doing this under
New style vs. old style
I don't quite see what I need to do. If someone could point me to an
example or show one, I think I could figure it out. I tried doing this with
ArgoUML, but it gave me this
security.declarePrivate('Title')
def Title(self):
"""
"""
pass
I selected Protected for the operation of Title and it generated that code.
I can add the method code manually, which I understand is the only way to
create a method with ArgoUML, but I don't think the security is correct. If
I understand this correctly, making it Private, only allows the Title method
to be called within this script. The previous method using
security.declareProtected(View, 'Title') would allow a user with the View
permission to call the function. I am not sure why this is necessary. I am
guessing it involves calling the method Title by another Zope Page Template,
possible one used for a view. If that's correct, then I probably need that
capability.
Any suggestions are appreciated. Thanks in advance for all replies.
Joe Bigler
--
View this message in context: http://plone.293351.n2.nabble.com/securing-methods-in-Plone-4-tp5809081p5809081.html
Sent from the Archetypes mailing list archive at Nabble.com.
------------------------------------------------------------------------------
What happens now with your Lotus Notes apps - do you make another costly
upgrade, or settle for being marooned without product support? Time to move
off Lotus Notes and onto the cloud with Force.com, apps are easier to build,
use, and manage than apps on traditional platforms. Sign up for the Lotus
Notes Migration Kit to learn more. http://p.sf.net/sfu/salesforce-d2d
_______________________________________________
Archetypes-users mailing list
Archetyp...@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/archetypes-users
Mikko Ohtamaa
Joe Bigler wrote:
>
> The method Title(self) works fine, but I can't use the
> security.declareProtected(View, 'Title'). If I do, the product can be
> installed, but does not appear in the add drop down menu at all. As soon
> as I comment out that line, it appears and works fine.
>
Do you start your Zope in foreground mode? Are there any messages related to
problems reading your module when starting Zope?
-----
Mikko Ohtamaa
Mobilize your Plone site - http://webandmobile.mfabrik.com
mFabrik - Freedom Delivered. - http://mfabrik.com
--
View this message in context: http://plone.293351.n2.nabble.com/securing-methods-in-Plone-4-tp5809081p5809173.html
Joe Bigler
Thanks for the quick reply:
I just ran it in FG mode and this is the message I see:
C:\Program Files\Plone\bin>plonectl client1 fg
client1: 2010-12-06 16:59:50 INFO ZServer HTTP server started at Mon Dec 06
16:5
9:50 2010
Hostname: Beryl2
Port: 8080
2010-12-06 17:00:17 INFO ZEO.ClientStorage zeostorage ClientStorage
(pid=2340) c
reated RW/normal for storage: '1'
2010-12-06 17:00:17 WARNING ZODB.blob (2340) Blob dir C:\Program
Files\Plone\var
\blobstorage\ has insecure mode setting
2010-12-06 17:00:17 INFO ZEO.cache created temporary cache file
'c:\\docume~1\\j
eb6\\locals~1\\temp\\tmpvccdjk'
2010-12-06 17:00:22 INFO ZEO.ClientStorage zeostorage Testing connection
<Manage
dClientConnection ('127.0.0.1', 8100)>
2010-12-06 17:00:22 INFO ZEO.zrpc.Connection(C) (127.0.0.1:8100) received
handsh
ake 'Z309'
2010-12-06 17:00:22 INFO ZEO.ClientStorage zeostorage Server authentication
prot
ocol None
2010-12-06 17:00:22 INFO ZEO.ClientStorage zeostorage Connected to storage:
('Be
ryl2', 8100)
2010-12-06 17:00:22 INFO ZEO.ClientStorage zeostorage No verification
necessary
-- empty cache
2010-12-06 17:00:26 INFO Archetypes
ArchetypesTool: Trying to register "EducationAssessment4.Course" which has
alrea
dy been registered. The new type
Products.EducationAssessment4.Course.Course is
going to override Products.Copy of EducationAssessment4.Course.Course
2010-12-06 17:00:26 ERROR Application Couldn't install EducationAssessment4
Traceback (most recent call last):
File "c:\program
files\plone\buildout-cache\eggs\zope2-2.12.13-py2.6-win32.egg
\OFS\Application.py", line 671, in install_product
initmethod(context)
File "C:\Program Files\Plone\products\EducationAssessment4\__init__.py",
line
71, in initialize
import Section
File "C:\Program Files\Plone\products\EducationAssessment4\Section.py",
line 8
3, in <module>
class Section(BaseFolder, BrowserDefaultMixin):
File "C:\Program Files\Plone\products\EducationAssessment4\Section.py",
line 9
9, in Section
security.declareProtected(View, 'Title')
NameError: name 'View' is not defined
Traceback (most recent call last):
File "c:\program
files\plone\buildout-cache\eggs\zope2-2.12.13-py2.6-win32.egg
\Zope2\Startup\run.py", line 56, in <module>
run()
File "c:\program
files\plone\buildout-cache\eggs\zope2-2.12.13-py2.6-win32.egg
\Zope2\Startup\run.py", line 21, in run
starter.prepare()
File "c:\program
files\plone\buildout-cache\eggs\zope2-2.12.13-py2.6-win32.egg
\Zope2\Startup\__init__.py", line 87, in prepare
self.startZope()
File "c:\program
files\plone\buildout-cache\eggs\zope2-2.12.13-py2.6-win32.egg
\Zope2\Startup\__init__.py", line 264, in startZope
Zope2.startup()
File "c:\program
files\plone\buildout-cache\eggs\zope2-2.12.13-py2.6-win32.egg
\Zope2\__init__.py", line 47, in startup
_startup()
File "c:\program
files\plone\buildout-cache\eggs\zope2-2.12.13-py2.6-win32.egg
\Zope2\App\startup.py", line 116, in startup
OFS.Application.initialize(application)
File "c:\program
files\plone\buildout-cache\eggs\zope2-2.12.13-py2.6-win32.egg
\OFS\Application.py", line 251, in initialize
initializer.initialize()
File "c:\program
files\plone\buildout-cache\eggs\zope2-2.12.13-py2.6-win32.egg
\OFS\Application.py", line 279, in initialize
self.install_products()
File "c:\program
files\plone\buildout-cache\eggs\zope2-2.12.13-py2.6-win32.egg
\OFS\Application.py", line 492, in install_products
return install_products(app)
File "c:\program
files\plone\buildout-cache\eggs\zope2-2.12.13-py2.6-win32.egg
\OFS\Application.py", line 523, in install_products
folder_permissions, raise_exc=debug_mode)
File "c:\program
files\plone\buildout-cache\eggs\zope2-2.12.13-py2.6-win32.egg
\OFS\Application.py", line 671, in install_product
initmethod(context)
File "C:\Program Files\Plone\products\EducationAssessment4\__init__.py",
line
71, in initialize
import Section
File "C:\Program Files\Plone\products\EducationAssessment4\Section.py",
line 8
3, in <module>
class Section(BaseFolder, BrowserDefaultMixin):
File "C:\Program Files\Plone\products\EducationAssessment4\Section.py",
line 9
9, in Section
security.declareProtected(View, 'Title')
NameError: name 'View' is not defined
C:\Program Files\Plone\bin>
Here is the code from the Sections.py file
# -*- coding: utf-8 -*-
#
# File: Section.py
#
# Copyright (c) 2010 by unknown <unknown>
# Generator: ArchGenXML Version 2.5
# http://plone.org/products/archgenxml
#
# GNU General Public License (GPL)
#
__author__ = """unknown <unknown>"""
__docformat__ = 'plaintext'
from AccessControl import ClassSecurityInfo
from Products.Archetypes.atapi import *
from zope.interface import implements
import interfaces
from Products.CMFDynamicViewFTI.browserdefault import BrowserDefaultMixin
from Products.EducationAssessment4.config import *
##code-section module-header #fill in your manual code here
##/code-section module-header
schema = Schema((
StringField(
name='semester',
required = True,
widget=SelectionWidget(
label="Semester",
description=""
),
vocabulary=['Fall', 'Spring', 'Summer'],
default = 'Fall',
),
IntegerField(
name='year',
widget=IntegerField._properties['widget'](
label='Year',
label_msgid='EducationAssessment4_label_year',
i18n_domain='EducationAssessment4',
),
),
StringField(
name='instructor',
widget=StringField._properties['widget'](
label='Instructor',
label_msgid='EducationAssessment4_label_instructor',
i18n_domain='EducationAssessment4',
),
),
FileField(
name='sectionFile',
widget=FileField._properties['widget'](
label='Syllabus File for this section',
label_msgid='EducationAssessment4_label_sectionFile',
i18n_domain='EducationAssessment4',
),
storage=AttributeStorage(),
),
),
)
##code-section after-local-schema #fill in your manual code here
##/code-section after-local-schema
Section_schema = BaseFolderSchema.copy() + \
schema.copy()
# Section_schema = ATContentTypeSchema + BaseFolderSchema.copy() +
schema.copy()
Section_schema['title'].widget.visible = {'edit':'invisible',
'view':'visible'}
# finalizeATCTSchema(Section_schema, folderish=True)
##code-section after-schema #fill in your manual code here
##/code-section after-schema
class Section(BaseFolder, BrowserDefaultMixin):
"""
"""
security = ClassSecurityInfo()
implements(interfaces.ISection)
meta_type = 'Section'
_at_rename_after_creation = True
schema = Section_schema
##code-section class-header #fill in your manual code here
##/code-section class-header
# Methods
security.declareProtected(View, 'Title')
def Title(self):
""" Return the semester and year as title. """
return self.getSemester() + " " + str(self.getYear())
# security.declareProtected(View, 'getSectionName')
def getSectionName(self):
""" Return the section name (title in this case) """
return self.Title()
# security.declareProtected(View, 'getSortableSectionName')
def getSortableSectionName(self):
""" Return the section and year in a sortable format. """
semesterOrder = ['Spring', 'Summer', 'Fall']
semesterKey = semesterOrder.index(self.getSemester())
return str(self.getYear()) + '-' + str(semesterKey)
registerType(Section, PROJECTNAME)
# end of class Section
##code-section module-footer #fill in your manual code here
##/code-section module-footer
Appreciate the help,
Joe Bigler
--
View this message in context: http://plone.293351.n2.nabble.com/securing-methods-in-Plone-4-tp5809081p5809604.html
Joe Bigler
I think found the problem. I missed the error about View before in the error
log. I added
from Products.CMFCore.permissions import View
to the top of the script. Now the product shows up in the drop down box and
can be added.
Here's what the terminal shows now in fg mode:
C:\Program Files\Plone\bin>plonectl client1 fg
client1: 2010-12-06 19:42:09 INFO ZServer HTTP server started at Mon Dec 06
19:4
2:09 2010
Hostname: Beryl2
Port: 8080
2010-12-06 19:42:25 INFO ZEO.ClientStorage zeostorage ClientStorage
(pid=3392) c
reated RW/normal for storage: '1'
2010-12-06 19:42:25 WARNING ZODB.blob (3392) Blob dir C:\Program
Files\Plone\var
\blobstorage\ has insecure mode setting
2010-12-06 19:42:25 INFO ZEO.cache created temporary cache file
'c:\\docume~1\\j
eb6\\locals~1\\temp\\tmpmf1rw3'
2010-12-06 19:42:29 INFO ZEO.ClientStorage zeostorage Testing connection
<Manage
dClientConnection ('127.0.0.1', 8100)>
2010-12-06 19:42:29 INFO ZEO.zrpc.Connection(C) (127.0.0.1:8100) received
handsh
ake 'Z309'
2010-12-06 19:42:30 INFO ZEO.ClientStorage zeostorage Server authentication
prot
ocol None
2010-12-06 19:42:30 INFO ZEO.ClientStorage zeostorage Connected to storage:
('Be
ryl2', 8100)
2010-12-06 19:42:30 INFO ZEO.ClientStorage zeostorage No verification
necessary
-- empty cache
c:\program
files\plone\src\products.relations\Products\Relations\ruleset.py:33:
UserWarning: You are passing positional arguments to the Schema constructor.
Ple
ase consult the docstring for
Products.Archetypes.Schema.BasicSchema.__init__
class XMLImportExport:
2010-12-06 19:42:55 INFO Zope Ready to handle requests
I'd still like to know if I should be doing something different in Plone 4
for security. I am assuming this is protecting any code from using this
that is not run by someone with View permissions. Not really sure how to
test that. We are migrating from Plone 2.5 to Plone 4 and I would like to
do things the new way.
Thanks very much for the help.
Joe Bigler
--
View this message in context: http://plone.293351.n2.nabble.com/securing-methods-in-Plone-4-tp5809081p5810096.html
Mikko Ohtamaa
Joe Bigler wrote:
>
> I'd still like to know if I should be doing something different in Plone 4
> for security. I am assuming this is protecting any code from using this
> that is not run by someone with View permissions. Not really sure how to
> test that. We are migrating from Plone 2.5 to Plone 4 and I would like to
> do things the new way.
>
The old should work just fine - Plone is very well backward compatible.
The new way would be to put view logic and security to BrowserView classes
and have less code in .pt files. But how apply this to your use case depends
a lot what are you doing.
-Mikko
-----
Mikko Ohtamaa
Mobilize your Plone site - http://webandmobile.mfabrik.com
mFabrik - Freedom Delivered. - http://mfabrik.com
--
View this message in context: http://plone.293351.n2.nabble.com/securing-methods-in-Plone-4-tp5809081p5811011.html
Joe Bigler
Thanks. That's good to know. I will keep looking for some more information,
possible an example of the new techniques. I have most of the Plone books,
but haven''t found anything in depth on security yet. It's an important
issue here at the college.
Appreciate the help.
Joe Bigler
Web Administrator
College of Education
Penn State University
--
View this message in context: http://plone.293351.n2.nabble.com/securing-methods-in-Plone-4-tp5809081p5811883.html