Implement a way which does not lead to HTTP-401 for not published att…

…ributes.

This is the way it was before.

src/Products/Five/browser/metaconfigure.py

@@ -30,6 +30,8 @@
 from AccessControl.security import getSecurityInfo
 from AccessControl.security import protectClass
 from AccessControl.security import protectName
+from AccessControl.unauthorized import Unauthorized
+from AccessControl.ZopeGuards import guarded_getattr
 from Products.Five.browser.pagetemplatefile import ViewPageTemplateFile
 from Products.Five.browser.resource import DirectoryResourceFactory
 from Products.Five.browser.resource import FileResourceFactory
@@ -48,6 +50,7 @@
 from zope.configuration.exceptions import ConfigurationError
 from zope.interface import Interface
 from zope.interface import classImplements
+from zope.publisher.interfaces import IPublishTraverse
 from zope.publisher.interfaces import NotFound
 from zope.publisher.interfaces.browser import IBrowserPublisher
 from zope.publisher.interfaces.browser import IBrowserRequest
@@ -441,8 +444,16 @@ class ViewNotCallableError(AttributeError, NotImplementedError):
     pass
 
 
+@zope.interface.implementer(IPublishTraverse)
 class simple(zope.publisher.browser.BrowserView):
 
+    def publishTraverse(self, request, name):
+        try:
+            return guarded_getattr(self, name)
+        except Unauthorized:
+            # attribute exists but is not published, so hide it from access:
+            raise AttributeError(name)
+
     # __call__ should have the same signature as the original method
     @property
     def __call__(self):

src/Products/Five/browser/tests/pages.txt

@@ -234,11 +234,11 @@ Other attributes are private:
   >>> aq_acquire(view, 'mouse__roles__') is ACCESS_PRIVATE
   True
 
-zope.browserpage does not have a ``publishTraverse`` method:
+In zope.browserpage this is just protected with the specified permission. Not
+sure if this has to be private in Zope 2:
 
-  >>> aq_acquire(view, 'publishTraverse__roles__')
-  Traceback (most recent call last):
-  AttributeError: 'RequestContainer' object has no attribute 'publishTraverse__roles__'
+  >>> aq_acquire(view, 'publishTraverse__roles__') is ACCESS_PRIVATE
+  True
 
 Check to see if view's context properly acquires its true
 parent

src/Products/Five/browser/tests/pages_ftest.txt

@@ -86,7 +86,7 @@ accessible TTW, even if we have the permission to render the view:
 
   >>> response = self.publish('/test_folder_1_/testoid/eagle.method/mouse',
   ...                         basic='viewer:secret')
-  >>> self.assertEqual(response.getStatus(), 401)
+  >>> self.assertEqual(response.getStatus(), 404)
 
 The same should apply for the user if he has all other permissions
 except 'View management screens':

src/Products/Five/browser/tests/test_pages.py

@@ -86,11 +86,17 @@ def test_publishTraverse_to_allowed_name():
     Publishing traversal with the default adapter should work:
 
     >>> from ZPublisher.BaseRequest import DefaultPublishTraverse
-    >>> adapter = DefaultPublishTraverse(view, folder.REQUEST)
-    >>> result = adapter.publishTraverse(folder.REQUEST, 'eagle')()
+    >>> request = folder.REQUEST
+    >>> adapter = DefaultPublishTraverse(view, request)
+    >>> result = adapter.publishTraverse(request, 'eagle')()
     >>> 'The eagle has landed' in result
     True
 
+    Publishing traversal also works directly:
+
+    >>> view.publishTraverse(request, 'eagle')() == 'The eagle has landed'
+    True
+
     Clean up:
 
     >>> from zope.component.testing import tearDown