Merge branch 'master' into py39

CHANGES.rst

@@ -9,6 +9,8 @@ https://github.com/zopefoundation/Zope/blob/4.x/CHANGES.rst
 5.0a1 (unreleased)
 ------------------
 
+- Clean up and sanitize permissions used for WebDAV-related methods
+
 - Fix sort link URLs on ``manage_main``
   (`#748 <https://github.com/zopefoundation/Zope/issues/748>`_)
 

src/App/DavLockManager.py

@@ -18,9 +18,7 @@
 from App.special_dtml import DTMLFile
 from OFS.Lockable import wl_isLocked
 from OFS.SimpleItem import Item
-
-
-manage_webdav_locks = 'Manage WebDAV Locks'
+from webdav import webdav_manage_locks
 
 
 class DavLockManager(Item, Implicit):
@@ -31,14 +29,14 @@ class DavLockManager(Item, Implicit):
 
     security = ClassSecurityInfo()
 
-    security.declareProtected(manage_webdav_locks,  # NOQA: D001
+    security.declareProtected(webdav_manage_locks,  # NOQA: D001
                               'manage_davlocks')
     manage_davlocks = manage_main = manage = DTMLFile(
         'dtml/davLockManager', globals())
     manage_davlocks._setName('manage_davlocks')
     manage_options = ({'label': 'Write Locks', 'action': 'manage_main'}, )
 
-    @security.protected(manage_webdav_locks)
+    @security.protected(webdav_manage_locks)
     def findLockedObjects(self, frompath=''):
         app = self.getPhysicalRoot()
 
@@ -66,7 +64,7 @@ def unlockObjects(self, paths=[]):
             ob = app.unrestrictedTraverse(path)
             ob.wl_clearLocks()
 
-    @security.protected(manage_webdav_locks)
+    @security.protected(webdav_manage_locks)
     def manage_unlockObjects(self, paths=[], REQUEST=None):
         " Management screen action to unlock objects. "
         if paths:

src/OFS/Lockable.py

@@ -12,12 +12,15 @@
 ##############################################################################
 
 from AccessControl.class_init import InitializeClass
+from AccessControl.Permissions import webdav_lock_items
+from AccessControl.Permissions import webdav_unlock_items
 from AccessControl.SecurityInfo import ClassSecurityInfo
 from Acquisition import aq_base
 from OFS.EtagSupport import EtagSupport
 from OFS.interfaces import ILockItem
 from OFS.interfaces import IWriteLock
 from Persistence import PersistentMapping
+from webdav import webdav_manage_locks
 from zope.interface import implementer
 
 
@@ -31,8 +34,8 @@ class LockableItem(EtagSupport):
 
     # Setting default roles for permissions - we want owners of conent
     # to be able to lock.
-    security.setPermissionDefault('WebDAV Lock items', ('Manager', 'Owner',))
-    security.setPermissionDefault('WebDAV Unlock items', ('Manager', 'Owner',))
+    security.setPermissionDefault(webdav_lock_items, ('Manager', 'Owner',))
+    security.setPermissionDefault(webdav_unlock_items, ('Manager', 'Owner',))
 
     @security.private
     def wl_lockmapping(self, killinvalids=0, create=0):
@@ -93,7 +96,7 @@ def wl_isLocked(self):
         else:
             return 0
 
-    @security.protected('WebDAV Lock items')
+    @security.protected(webdav_lock_items)
     def wl_setLock(self, locktoken, lock):
         locks = self.wl_lockmapping(create=1)
         if ILockItem.providedBy(lock):
@@ -109,13 +112,13 @@ def wl_getLock(self, locktoken):
         locks = self.wl_lockmapping(killinvalids=1)
         return locks.get(locktoken, None)
 
-    @security.protected('WebDAV Unlock items')
+    @security.protected(webdav_unlock_items)
     def wl_delLock(self, locktoken):
         locks = self.wl_lockmapping()
         if locktoken in locks:
             del locks[locktoken]
 
-    @security.protected('Manage WebDAV Locks')
+    @security.protected(webdav_manage_locks)
     def wl_clearLocks(self):
         # Called by lock management machinery to quickly and effectively
         # destroy all locks.

src/webdav/Collection.py

@@ -17,6 +17,8 @@
 
 from AccessControl.class_init import InitializeClass
 from AccessControl.Permissions import delete_objects
+from AccessControl.Permissions import view
+from AccessControl.Permissions import webdav_access
 from AccessControl.SecurityInfo import ClassSecurityInfo
 from AccessControl.SecurityManagement import getSecurityManager
 from App.Common import rfc1123_date
@@ -57,6 +59,7 @@ def dav__init(self, request, response):
         # Initialize ETag header
         self.http__etag()
 
+    @security.protected(view)
     def HEAD(self, REQUEST, RESPONSE):
         """Retrieve resource information without a response body."""
         self.dav__init(REQUEST, RESPONSE)
@@ -135,6 +138,7 @@ def DELETE(self, REQUEST, RESPONSE):
 
         return RESPONSE
 
+    @security.protected(webdav_access)
     def listDAVObjects(self):
         objectValues = getattr(self, 'objectValues', None)
         if objectValues is not None:

src/webdav/NullResource.py

@@ -18,7 +18,8 @@
 
 from AccessControl.class_init import InitializeClass
 from AccessControl.Permissions import add_folders
-from AccessControl.Permissions import view as View
+from AccessControl.Permissions import view
+from AccessControl.Permissions import webdav_access
 from AccessControl.Permissions import webdav_lock_items
 from AccessControl.Permissions import webdav_unlock_items
 from AccessControl.SecurityInfo import ClassSecurityInfo
@@ -85,7 +86,7 @@ def __bobo_traverse__(self, REQUEST, name=None):
             raise Conflict('Collection ancestors must already exist.')
         raise NotFound('The requested resource was not found.')
 
-    @security.protected(View)
+    @security.protected(view)
     def HEAD(self, REQUEST, RESPONSE):
         """Retrieve resource information without a response message body."""
         self.dav__init(REQUEST, RESPONSE)
@@ -305,10 +306,10 @@ class LockNullResource(NullResource, Item_w__name__):
 
     manage_options = ({'label': 'Info', 'action': 'manage_main'},)
 
-    security.declareProtected(View, 'manage')  # NOQA: D001
-    security.declareProtected(View, 'manage_main')  # NOQA: D001
+    security.declareProtected(view, 'manage')  # NOQA: D001
+    security.declareProtected(view, 'manage_main')  # NOQA: D001
     manage = manage_main = DTMLFile('dtml/locknullmain', globals())
-    security.declareProtected(View, 'manage_workspace')  # NOQA: D001
+    security.declareProtected(view, 'manage_workspace')  # NOQA: D001
     manage_workspace = manage
     manage_main._setName('manage_main')  # explicit
 
@@ -328,6 +329,7 @@ def __init__(self, name):
     def title_or_id(self):
         return 'Foo'
 
+    @security.protected(webdav_access)
     def PROPFIND(self, REQUEST, RESPONSE):
         """Retrieve properties defined on the resource."""
         return Resource.PROPFIND(self, REQUEST, RESPONSE)

src/webdav/Resource.py

@@ -23,7 +23,7 @@
 from AccessControl.class_init import InitializeClass
 from AccessControl.Permissions import delete_objects
 from AccessControl.Permissions import manage_properties
-from AccessControl.Permissions import view as View
+from AccessControl.Permissions import view
 from AccessControl.Permissions import webdav_access
 from AccessControl.Permissions import webdav_lock_items
 from AccessControl.Permissions import webdav_unlock_items
@@ -199,7 +199,7 @@ def dav__simpleifhandler(self, request, response, method='PUT',
             return 0
 
     # WebDAV class 1 support
-    @security.protected(View)
+    @security.protected(view)
     def HEAD(self, REQUEST, RESPONSE):
         """Retrieve resource information without a response body."""
         self.dav__init(REQUEST, RESPONSE)

src/webdav/__init__.py

@@ -36,3 +36,6 @@
    Microsoft, U.C. Irvine, Netscape, Novell.  February, 1999."""
 
 enable_ms_public_header = False
+
+# This permission does not exist in AccessControl.Permissions
+webdav_manage_locks = 'Manage WebDAV Locks'