Hi there,
I'm slightly confused by a class I have:
class X(Persistent, Acquisition.Explicit):
This class has no __roles__, no __ac_permissions__, no nothing...
Instances of this class are stored within a special folderish class, Y.
This folderish class has a __bobo_traverse__ which returns X objects,
wrapped in context, from it's self._xs BTree using something along the
lines of:
def __bobo_traverse__(self, REQUEST, name):
ob = getattr(self, name, _marker)
if ob == _marker:
ob =
return self._xs[name].__of__(self)
Now, it appears no methods or other attributes of this class are
protected by the security machinery, even though the instances involved
are wrapped. The DocString stuff still applies but, once a method has a
docstring, any anonymous user who can traverse to one of these objects,
can execute any method (attributes whinge about a missing docstring, how
bizarre, attepting to traverse to __init__ complains the method starts
with a _ ;-) of that instance which is more than a little disturbing ;-)
I thought Zope's security policy had changed to be disallow by default,
but that really doesn't seem to be the case here :-S
What am I missing out on? Is there some mixin class I need or something
I need to acquire to make the security machinery check these objects?
confusedly and worriedly,
Chris
_______________________________________________
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )