Change solution in branch issue_397 to return HTTP-401 instead of H…

…TTP-404 for view attributes which are not declared to be accessible.
zopefoundation · May 28, 2019 · 71d27eb · 71d27eb
1 parent 8d35e9e
commit 71d27eb
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 28 deletions.
diff --git a/src/Products/Five/browser/metaconfigure.py b/src/Products/Five/browser/metaconfigure.py
@@ -460,27 +460,6 @@ def __call__(self):
         return getattr(self, attr)
 
 
-class DeferredAttrAuthProxy(object):
-    """Proxy to defer the authorization from traversal to object access."""
-
-    security = ClassSecurityInfo()
-
-    def __init__(self, context, name):
-        self.context = context
-        self.name = name
-
-    @security.public
-    def __call__(self, *args, **kw):
-        try:
-            attr = guarded_getattr(self.context, self.name)
-        except (AttributeError, Unauthorized):
-            raise NotFound(self.context, self.name)
-        return attr(*args, **kw)
-
-
-InitializeClass(DeferredAttrAuthProxy)
-
-
 @zope.interface.implementer(IPublishTraverse)
 @zope.component.adapter(simple, IBrowserRequest)
 class SimplePublishTraverse(object):
@@ -491,7 +470,7 @@ def __init__(self, context, request):
         self.request = request
 
     def publishTraverse(self, request, name):
-        return DeferredAttrAuthProxy(self.context, name)
+        return getattr(self.context, name)
 
 
 class ViewMixinForTemplates(zope.browserpage.simpleviewclass.simple):

diff --git a/src/Products/Five/browser/tests/pages_ftest.txt b/src/Products/Five/browser/tests/pages_ftest.txt
@@ -86,7 +86,7 @@ accessible TTW, even if we have the permission to render the view:
 
   >>> response = self.publish('/test_folder_1_/testoid/eagle.method/mouse',
   ...                         basic='viewer:secret')
-  >>> self.assertEqual(response.getStatus(), 404)
+  >>> self.assertEqual(response.getStatus(), 401)
 
 The same should apply for the user if he has all other permissions
 except 'View management screens':

diff --git a/src/Products/Five/browser/tests/test_pages.py b/src/Products/Five/browser/tests/test_pages.py
@@ -113,14 +113,10 @@ def test_publishTraverse_to_allowed_name(self):
         self.assertEqual('The eagle has landed', self.browser.contents)
 
     def test_publishTraverse_to_not_allowed_name(self):
-        # The ``eagle.method`` view has a method ``mouse`` but it is not
-        # registered with ``allowed_attributes`` in pages.zcml. This attribute
-        # should be not be accessible. It leads to # a HTTP-404, so we do not
-        # tell the world about our internal methods:
         with self.assertRaises(HTTPError) as err:
             self.browser.open(
                 'http://localhost/test_folder_1_/testoid/eagle.method/mouse')
-        self.assertEqual('HTTP Error 404: Not Found', str(err.exception))
+        self.assertEqual('HTTP Error 401: Unauthorized', str(err.exception))
 
 
 def test_suite():