subject:"Re\: \[Zope3\-Users\] Referencing objects"

Re: [Zope3-Users] Referencing objects

2011-02-21 Thread Michael Seifert

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Am 04.02.2011 17:04, schrieb Thierry Florac:
 Hi,
 
 
 Le vendredi  4 février 2011,
   Michael Seifert michael.seif...@gmx.net a écrit :
 ==
 Hello everyone,
 
 I recently started a Zope3 project, but I am stuck at the very
 beginning. Although I have some experience with Zope2, the more
 flexible approach to developing web applications was giving me a
 really hard start. Let me point out my situation:
 I created a container hierarchy which is stored in ZODB. Say I have a
 set of object types A, B, C, D, whose relationships look like the
 following (edges represent containment, i.e. A contains B,... where B
 and D are in subcontainers of A):
 
 A
/ \
   B   D
   |
   C
 
 C has an attribute referencing an object of type D. As this attribute
 is mandatory on creation, I created a vocabulary, which ascends the
 hierarchy from the current context until it reaches A and returns all
 objects of type D.
 Now the part that doesn't work:
 While ascending from C to B and from B to A works fine, descending
 from A to D returns a security proxied object and since these objects
 cannot be pickled, I cannot store it's reference in the attribute of
 C.
 
 1. Is this the way it's meant to be done? :) What is your opinion of
 storing B and D objects in subcontainers of A?
 
 That shouldn't be a problem, it's not different when you use a basic
 folder-like container which, internally, stores sub-objects in an
 internal b-tree container ; the only difference here is that you own
 two internal containment attributes.
 
 
 2. Are there any means to turn the vocabulary into trusted code, so it
 will not be encapsulated in a proxy (without deactivating the security
 proxy)?
 
 Perhaps can you use the removeSecurityProxy function ?
 
 
 3. How do you reference objects like you do with foreign keys in
 relational databases? I want to do this to prevent objects from being
 saved multiple times.
 
 If the targetted object is persistent (and so a subclass of
 Persistent class), it should be stored only once in the database
 (just try to alter properties of an object and check if the other one
 is also modified or not to check !)
 Another way I commonly use to store references is to store only an
 IIntIds utility reference, which is an integer ; the benefit of this
 is that this value can easilly be indexed.
 
 Regards,
 Thierry

Thanks Thierry, your answer helped a lot.

I solved the issue with:
from zope.security.proxy import removeSecurityProxy
def vocab(context):
...
return SimpleVocabulary.fromValues([removeSecurityProxy(elem) for elem
in context.values()]))


Still, I have some questions regarding the security.

1.
When creating the vocabulary with
return SimpleVocabulary.fromValues([elem.someFunc() for elem in
context.values()]))
I noticed that elem in context.values() are not proxied yet, so the
actual wrapping must take place before the values are passed to the ZMI.
How does calling the removeSecurityProxy function prevent the objects
from being wrapped, since the wrapping takes place AFTER the function call?
(I had a look at the sources, but the implementation resides in
zope.security._proxy which is a binary .so file)


2.
The vocabularies are registered as utilities in the .zcml file(s).
Since access to objects from these vocabularies is not checked by a
security proxy: Is it therefore possible that any user can access the
vocabulary data?
If so, is there a way to restrict access to the utility vocabularies?

Regards,
Michael
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1iWlAACgkQnzX+Jf4GTUxO2gCeIoKh8l+6QaGsDo07WKUT2Y94
BDQAn16rtkPVIIPo5N8a2K7A/SsOdoQU
=dHUQ
-END PGP SIGNATURE-
___
Zope3-users mailing list
Zope3-users@zope.org
https://mail.zope.org/mailman/listinfo/zope3-users

Re: [Zope3-Users] Referencing objects

2011-02-21 Thread Simon Elbaz

Hi,
here is what I have understood in zope3 security policy:

On Mon, Feb 21, 2011 at 1:28 PM, Michael Seifert michael.seif...@gmx.netwrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Am 04.02.2011 17:04, schrieb Thierry Florac:
  Hi,
 
 
  Le vendredi  4 février 2011,
Michael Seifert michael.seif...@gmx.net a écrit :
  ==
  Hello everyone,
 
  I recently started a Zope3 project, but I am stuck at the very
  beginning. Although I have some experience with Zope2, the more
  flexible approach to developing web applications was giving me a
  really hard start. Let me point out my situation:
  I created a container hierarchy which is stored in ZODB. Say I have a
  set of object types A, B, C, D, whose relationships look like the
  following (edges represent containment, i.e. A contains B,... where B
  and D are in subcontainers of A):
 
  A
 / \
B   D
|
C
 
  C has an attribute referencing an object of type D. As this attribute
  is mandatory on creation, I created a vocabulary, which ascends the
  hierarchy from the current context until it reaches A and returns all
  objects of type D.
  Now the part that doesn't work:
  While ascending from C to B and from B to A works fine, descending
  from A to D returns a security proxied object and since these objects
  cannot be pickled, I cannot store it's reference in the attribute of
  C.
 
  1. Is this the way it's meant to be done? :) What is your opinion of
  storing B and D objects in subcontainers of A?
 
  That shouldn't be a problem, it's not different when you use a basic
  folder-like container which, internally, stores sub-objects in an
  internal b-tree container ; the only difference here is that you own
  two internal containment attributes.
 
 
  2. Are there any means to turn the vocabulary into trusted code, so it
  will not be encapsulated in a proxy (without deactivating the security
  proxy)?
 
  Perhaps can you use the removeSecurityProxy function ?
 
 
  3. How do you reference objects like you do with foreign keys in
  relational databases? I want to do this to prevent objects from being
  saved multiple times.
 
  If the targetted object is persistent (and so a subclass of
  Persistent class), it should be stored only once in the database
  (just try to alter properties of an object and check if the other one
  is also modified or not to check !)
  Another way I commonly use to store references is to store only an
  IIntIds utility reference, which is an integer ; the benefit of this
  is that this value can easilly be indexed.
 
  Regards,
  Thierry

 Thanks Thierry, your answer helped a lot.

 I solved the issue with:
 from zope.security.proxy import removeSecurityProxy
 def vocab(context):
...
return SimpleVocabulary.fromValues([removeSecurityProxy(elem) for
 elem
 in context.values()]))


 Still, I have some questions regarding the security.

 1.
 When creating the vocabulary with
 return SimpleVocabulary.fromValues([elem.someFunc() for elem in
 context.values()]))
 I noticed that elem in context.values() are not proxied yet, so the
 actual wrapping must take place before the values are passed to the ZMI.
 How does calling the removeSecurityProxy function prevent the objects
 from being wrapped, since the wrapping takes place AFTER the function call?
 (I had a look at the sources, but the implementation resides in
 zope.security._proxy which is a binary .so file)



The removeSecurityProxy does not prevent the object from being proxied: it
allows the storage of the object in an attribute without its proxy.
The original object will always be proxied.


 2.
 The vocabularies are registered as utilities in the .zcml file(s).
 Since access to objects from these vocabularies is not checked by a
 security proxy: Is it therefore possible that any user can access the
 vocabulary data?
 If so, is there a way to restrict access to the utility vocabularies?


You can use the utility permission attribute.



 Regards,
 Michael
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v2.0.17 (GNU/Linux)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

 iEYEARECAAYFAk1iWlAACgkQnzX+Jf4GTUxO2gCeIoKh8l+6QaGsDo07WKUT2Y94
 BDQAn16rtkPVIIPo5N8a2K7A/SsOdoQU
 =dHUQ
 -END PGP SIGNATURE-
 ___
 Zope3-users mailing list
 Zope3-users@zope.org
 https://mail.zope.org/mailman/listinfo/zope3-users


Regards,
Simon
___
Zope3-users mailing list
Zope3-users@zope.org
https://mail.zope.org/mailman/listinfo/zope3-users

Re: [Zope3-Users] Referencing objects

2011-02-04 Thread Thierry Florac

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,


Le vendredi  4 février 2011,
  Michael Seifert michael.seif...@gmx.net a écrit :
==
 Hello everyone,
 
 I recently started a Zope3 project, but I am stuck at the very
 beginning. Although I have some experience with Zope2, the more
 flexible approach to developing web applications was giving me a
 really hard start. Let me point out my situation:
 I created a container hierarchy which is stored in ZODB. Say I have a
 set of object types A, B, C, D, whose relationships look like the
 following (edges represent containment, i.e. A contains B,... where B
 and D are in subcontainers of A):
 
 A
/ \
   B   D
   |
   C
 
 C has an attribute referencing an object of type D. As this attribute
 is mandatory on creation, I created a vocabulary, which ascends the
 hierarchy from the current context until it reaches A and returns all
 objects of type D.
 Now the part that doesn't work:
 While ascending from C to B and from B to A works fine, descending
 from A to D returns a security proxied object and since these objects
 cannot be pickled, I cannot store it's reference in the attribute of
 C.
 
 1. Is this the way it's meant to be done? :) What is your opinion of
 storing B and D objects in subcontainers of A?

That shouldn't be a problem, it's not different when you use a basic
folder-like container which, internally, stores sub-objects in an
internal b-tree container ; the only difference here is that you own
two internal containment attributes.


 2. Are there any means to turn the vocabulary into trusted code, so it
 will not be encapsulated in a proxy (without deactivating the security
 proxy)?

Perhaps can you use the removeSecurityProxy function ?


 3. How do you reference objects like you do with foreign keys in
 relational databases? I want to do this to prevent objects from being
 saved multiple times.

If the targetted object is persistent (and so a subclass of
Persistent class), it should be stored only once in the database
(just try to alter properties of an object and check if the other one
is also modified or not to check !)
Another way I commonly use to store references is to store only an
IIntIds utility reference, which is an integer ; the benefit of this
is that this value can easilly be indexed.

Regards,
Thierry
- -- 
Chef de projets intranet/internet
Office National des Forêts - Département Informatique
2, Avenue de Saint-Mandé
75570 Paris Cedex 12
Tél. : 01 40 19 59 64
Fax. : 01 40 19 58 85
Mél. : thierry.flo...@onf.fr
Web. : http://www.onf.fr
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk1MI5EACgkQNl1a1Vtu7wrpzACeLPBWLaKoVVQn+fueivqnwhJb
jSwAn1LWhDCBnleB+jsfU/VoiJH0eBKD
=sWJB
-END PGP SIGNATURE-
___
Zope3-users mailing list
Zope3-users@zope.org
https://mail.zope.org/mailman/listinfo/zope3-users

Re: [Zope3-Users] Referencing objects

Re: [Zope3-Users] Referencing objects

Re: [Zope3-Users] Referencing objects

3 matches

Site Navigation

Mail list logo

Footer information