Remove proxy role support from DTML documents and methods.

zopefoundation · Sep 2, 2016 · e040364 · e040364
1 parent dbb476e
commit e040364
Show file tree

Hide file tree

Showing 5 changed files with 4 additions and 101 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -30,6 +30,8 @@ Features Added
 Restructuring
 +++++++++++++
 
+- Remove proxy role support from DTML documents and methods.
+
 - Remove ZCacheable logic and StandardCacheManagers dependency.
 
 - Stop mixing in `Five.bbb.AcquisitionBBB` into browser components.

diff --git a/src/OFS/DTMLDocument.py b/src/OFS/DTMLDocument.py
@@ -49,7 +49,6 @@ class DTMLDocument(PropertyManager, DTMLMethod):
     def manage_upload(self, file='', REQUEST=None):
         """ Replace the contents of the document with the text in 'file'.
         """
-        self._validateProxy(REQUEST)
         if self.wl_isLocked():
             raise ResourceLockedError('This document has been locked.')
 

diff --git a/src/OFS/DTMLMethod.py b/src/OFS/DTMLMethod.py
@@ -23,18 +23,16 @@
 from App.special_dtml import HTML
 from AccessControl import getSecurityManager
 from AccessControl.Permissions import view_management_screens
-from AccessControl.Permissions import change_proxy_roles
 from AccessControl.Permissions import view as View  # NOQA
 from AccessControl.Permissions import ftp_access
-from AccessControl.requestmethod import requestmethod
 from AccessControl.tainted import TaintedString
 from DocumentTemplate.permissions import change_dtml_methods
 from DocumentTemplate.security import RestrictedDTML
 from OFS import bbb
 from OFS.Cache import Cacheable
 from OFS.role import RoleManager
 from OFS.SimpleItem import Item_w__name__
-from zExceptions import Forbidden, ResourceLockedError
+from zExceptions import ResourceLockedError
 from zExceptions.TracebackSupplement import PathTracebackSupplement
 from zope.contenttype import guess_content_type
 
@@ -53,7 +51,6 @@ class DTMLMethod(RestrictedDTML,
     """ DocumentTemplate.HTML objects that act as methods of their containers.
     """
     meta_type = 'DTML Method'
-    _proxy_roles = ()
     index_html = None  # Prevent accidental acquisition
 
     security = ClassSecurityInfo()
@@ -69,7 +66,6 @@ class func_code(object):
 
     manage_options = ((
         {'label': 'Edit', 'action': 'manage_main'},
-        {'label': 'Proxy', 'action': 'manage_proxyForm'},
     ) +
         RoleManager.manage_options +
         Item_w__name__.manage_options
@@ -165,14 +161,10 @@ def get_size(self):
     security.declareProtected(change_dtml_methods, 'manage_main')
     manage = manage_main = manage_editDocument = manage_editForm
 
-    security.declareProtected(change_proxy_roles, 'manage_proxyForm')
-    manage_proxyForm = DTMLFile('dtml/documentProxy', globals())
-
     security.declareProtected(change_dtml_methods, 'manage_edit')
     def manage_edit(self, data, title, SUBMIT='Change', REQUEST=None):
         """ Replace contents with 'data', title with 'title'.
         """
-        self._validateProxy(REQUEST)
         if self.wl_isLocked():
             raise ResourceLockedError('This item is locked.')
 
@@ -190,7 +182,6 @@ def manage_edit(self, data, title, SUBMIT='Change', REQUEST=None):
     def manage_upload(self, file='', REQUEST=None):
         """ Replace the contents of the document with the text in 'file'.
         """
-        self._validateProxy(REQUEST)
         if self.wl_isLocked():
             raise ResourceLockedError('This DTML Method is locked.')
 
@@ -204,41 +195,6 @@ def manage_upload(self, file='', REQUEST=None):
             message = "Saved changes."
             return self.manage_main(self, REQUEST, manage_tabs_message=message)
 
-    def manage_haveProxy(self, r):
-        return r in self._proxy_roles
-
-    def _validateProxy(self, request, roles=None):
-        if roles is None:
-            roles = self._proxy_roles
-        if not roles:
-            return
-        user = u = getSecurityManager().getUser()
-        user = user.allowed
-        for r in roles:
-            if r and not user(self, (r,)):
-                user = None
-                break
-
-        if user is not None:
-            return
-
-        raise Forbidden(
-            'You are not authorized to change <em>%s</em> because you '
-            'do not have proxy roles.\n<!--%s, %s-->' % (
-                self.__name__, u, roles))
-
-    security.declareProtected(change_proxy_roles, 'manage_proxy')
-    @requestmethod('POST')
-    def manage_proxy(self, roles=(), REQUEST=None):
-        "Change Proxy Roles"
-        self._validateProxy(REQUEST, roles)
-        self._validateProxy(REQUEST)
-        self._proxy_roles = tuple(roles)
-        if REQUEST:
-            message = "Saved changes."
-            return self.manage_proxyForm(self, REQUEST,
-                                         manage_tabs_message=message)
-
     security.declareProtected(view_management_screens, 'PrincipiaSearchSource')
     def PrincipiaSearchSource(self):
         # Support for searching - the document's contents are searched.
@@ -259,7 +215,6 @@ def PUT(self, REQUEST, RESPONSE):
             self.dav__init(REQUEST, RESPONSE)
             self.dav__simpleifhandler(REQUEST, RESPONSE, refresh=1)
             body = REQUEST.get('BODY', '')
-            self._validateProxy(REQUEST)
             self.munge(body)
             RESPONSE.setStatus(204)
             return RESPONSE

diff --git a/src/OFS/dtml/documentProxy.dtml b/src/OFS/dtml/documentProxy.dtml
diff --git a/src/OFS/dtml/owner.dtml b/src/OFS/dtml/owner.dtml
@@ -4,8 +4,7 @@
 <p class="form-help">
 Almost all Zope objects can be owned. When you create an object you
 become its owner. Ownership matters for method objects since
-it determines what roles they have when they are executed. See the
-<em>Proxy Roles</em> view of method objects for more information.
+it determines what roles they have when they are executed.
 </p>
 
 <p>