17893395798

Committed 17 Mar 2025 07:56AM UTC coverage: 85.158% (-0.2%) from 85.31%

Build # 17893395798

Build Type

push

github

Committed by

web-flow

Commit Message

Update Python version support. (#79)

* Drop support for Python 3.8.

Run Details

709 of 976 branches covered (72.64%)

Branch coverage included in aggregate %.

2 of 6 new or added lines in 5 files covered. (33.33%)

5 existing lines in 3 files now uncovered.

3273 of 3700 relevant lines covered (88.46%)

0.88 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

75.81

/src/DocumentTemplate/security.py

##############################################################################
#
# Copyright (c) 2002 Zope Foundation and Contributors.
#
# This software is subject to the provisions of the Zope Public License,
# Version 2.1 (ZPL).  A copy of the ZPL should accompany this distribution.
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED
# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
# FOR A PARTICULAR PURPOSE
#
##############################################################################
"""Add security system support to Document Templates"""

# Setup RestrictedDTML

from types import FunctionType

from AccessControl import SecurityManagement
from AccessControl.ImplPython import guarded_getattr
from AccessControl.SimpleObjectPolicies import ContainerAssertions
from AccessControl.ZopeGuards import guarded_getitem
from AccessControl.ZopeGuards import safe_builtins

from DocumentTemplate import DT_Util


RestrictedDTML = None


class BaseRestrictedDTML:
    """A mix-in for derivatives of DT_String.String that adds Zope security."""

    def guarded_getattr(self, *args):  # ob, name [, default]
        return guarded_getattr(*args)

    def guarded_getitem(self, ob, index):
        return guarded_getitem(ob, index)


# This does not respect the security policy as set by AccessControl. Instead
# it only deals with the C module being compiled or not.
try:
    from AccessControl.cAccessControl import RestrictedDTMLMixin
except ModuleNotFoundError:
    RestrictedDTML = BaseRestrictedDTML
else:
    class RestrictedDTML(RestrictedDTMLMixin, BaseRestrictedDTML):
        """C version of RestrictedDTML."""

# Add security testing capabilities


class DTMLSecurityAPI:
    """API for performing security checks in DTML using '_' methods."""

    def SecurityValidate(md, inst, parent, name, value):
        """Validate access.

        Arguments:

        accessed -- the object that was being accessed

        container -- the object the value was found in

        name -- The name used to access the value

        value -- The value retrieved though the access.

        The arguments may be provided as keyword arguments. Some of these
        arguments may be ommitted, however, the policy may reject access
        in some cases when arguments are ommitted.  It is best to provide
        all the values possible.
        """
        return (SecurityManagement
                .getSecurityManager()
                .validate(inst, parent, name, value)
                )

    def SecurityCheckPermission(md, permission, object):
        """Check whether the security context allows the given permission on
        the given object.

        Arguments:

        permission -- A permission name

        object -- The object being accessed according to the permission
        """
        return (SecurityManagement
                .getSecurityManager()
                .checkPermission(permission, object)
                )

    def SecurityGetUser(md):
        """Gen the current authenticated user"""
        return (SecurityManagement
                .getSecurityManager()
                .getUser()
                )

    def SecurityCalledByExecutable(md):
        """Return a boolean value indicating if this context was called
        by an executable"""
        r = (SecurityManagement
             .getSecurityManager()
             .calledByExecutable()
             )
        if r > 0:
            return r - 1
        return r


for name, v in DTMLSecurityAPI.__dict__.items():
    if name[0] != '_':
        setattr(DT_Util.TemplateDict, name, v)

for name, v in safe_builtins.items():
    if type(v) is FunctionType:
        v = DT_Util.NotBindable(v)
    if name.startswith('__'):
        continue
    setattr(DT_Util.TemplateDict, name, v)


# Temporarily create a DictInstance so that we can mark its type as
# being a key in the ContainerAssertions.

class _dummy_class:
    pass


templateDict = DT_Util.TemplateDict()
try:
    dictInstance = templateDict(dummy=1)[0]
    if not isinstance(dictInstance, type(_dummy_class())):
        ContainerAssertions[type(dictInstance)] = 1
except Exception:
    # Hmm, this may cause _() and _.namespace() to fail.
    # What to do?
    pass

1	##############################################################################
2	#
3	# Copyright (c) 2002 Zope Foundation and Contributors.
4	#
5	# This software is subject to the provisions of the Zope Public License,
6	# Version 2.1 (ZPL). A copy of the ZPL should accompany this distribution.
7	# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED
8	# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
9	# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
10	# FOR A PARTICULAR PURPOSE
11	#
12	##############################################################################
13	"""Add security system support to Document Templates"""
14
15	# Setup RestrictedDTML
16
17	from types import FunctionType	1✔
18
19	from AccessControl import SecurityManagement	1✔
20	from AccessControl.ImplPython import guarded_getattr	1✔
21	from AccessControl.SimpleObjectPolicies import ContainerAssertions	1✔
22	from AccessControl.ZopeGuards import guarded_getitem	1✔
23	from AccessControl.ZopeGuards import safe_builtins	1✔
24
25	from DocumentTemplate import DT_Util	1✔
26
27
28	RestrictedDTML = None	1✔
29
30
31	class BaseRestrictedDTML:	1✔
32	"""A mix-in for derivatives of DT_String.String that adds Zope security."""
33
34	def guarded_getattr(self, *args): # ob, name [, default]	1✔
35	return guarded_getattr(*args)	×
36
37	def guarded_getitem(self, ob, index):	1✔
38	return guarded_getitem(ob, index)	1✔
39
40
41	# This does not respect the security policy as set by AccessControl. Instead
42	# it only deals with the C module being compiled or not.
43	try:	1✔
44	from AccessControl.cAccessControl import RestrictedDTMLMixin	1✔
NEW 45	except ModuleNotFoundError:	×
UNCOV 46	RestrictedDTML = BaseRestrictedDTML	×
47	else:
48	class RestrictedDTML(RestrictedDTMLMixin, BaseRestrictedDTML):	1✔
49	"""C version of RestrictedDTML."""
50
51	# Add security testing capabilities
52
53
54	class DTMLSecurityAPI:	1✔
55	"""API for performing security checks in DTML using '_' methods."""
56
57	def SecurityValidate(md, inst, parent, name, value):	1✔
58	"""Validate access.
59
60	Arguments:
61
62	accessed -- the object that was being accessed
63
64	container -- the object the value was found in
65
66	name -- The name used to access the value
67
68	value -- The value retrieved though the access.
69
70	The arguments may be provided as keyword arguments. Some of these
71	arguments may be ommitted, however, the policy may reject access
72	in some cases when arguments are ommitted. It is best to provide
73	all the values possible.
74	"""
75	return (SecurityManagement	×
76	.getSecurityManager()
77	.validate(inst, parent, name, value)
78	)
79
80	def SecurityCheckPermission(md, permission, object):	1✔
81	"""Check whether the security context allows the given permission on
82	the given object.
83
84	Arguments:
85
86	permission -- A permission name
87
88	object -- The object being accessed according to the permission
89	"""
90	return (SecurityManagement	×
91	.getSecurityManager()
92	.checkPermission(permission, object)
93	)
94
95	def SecurityGetUser(md):	1✔
96	"""Gen the current authenticated user"""
97	return (SecurityManagement	×
98	.getSecurityManager()
99	.getUser()
100	)
101
102	def SecurityCalledByExecutable(md):	1✔
103	"""Return a boolean value indicating if this context was called
104	by an executable"""
105	r = (SecurityManagement	×
106	.getSecurityManager()
107	.calledByExecutable()
108	)
109	if r > 0:	×
110	return r - 1	×
111	return r	×
112
113
114	for name, v in DTMLSecurityAPI.__dict__.items():	1✔
115	if name[0] != '_':	1✔
116	setattr(DT_Util.TemplateDict, name, v)	1✔
117
118	for name, v in safe_builtins.items():	1✔
119	if type(v) is FunctionType:	1✔
120	v = DT_Util.NotBindable(v)	1✔
121	if name.startswith('__'):	1✔
122	continue	1✔
123	setattr(DT_Util.TemplateDict, name, v)	1✔
124
125
126	# Temporarily create a DictInstance so that we can mark its type as
127	# being a key in the ContainerAssertions.
128
129	class _dummy_class:	1✔
130	pass	1✔
131
132
133	templateDict = DT_Util.TemplateDict()	1✔
134	try:	1✔
135	dictInstance = templateDict(dummy=1)[0]	1✔
136	if not isinstance(dictInstance, type(_dummy_class())):	1!
137	ContainerAssertions[type(dictInstance)] = 1	1✔
138	except Exception:	×
139	# Hmm, this may cause _() and _.namespace() to fail.
140	# What to do?
141	pass	×

zopefoundation / DocumentTemplate / 17893395798

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous