Hi, While porting one ZTK app to Python 3 I discovered the following problems with zope.security:
1) There was a package zope.app.security, which, along with zope.app baggage provided security declarations for BTrees and PersistentDict, PersistentList. They were in a separate file, _protections.zcml. What would be a good place for these from now on? zope.security? There is also a file globalmodules.zcml in zope.app.security, which declares public APIs of a lot of standard library modules. These declarations don't seem to enable open access on attributes of those classes, though. Is that a leftover of old untrusted TTW code attempts or does it do something useful? 2) PersistentDict on Py3 is based on collections.abc.Mapping, which uses classes such as collections.abc.View, KeysView, ValuesView for the results of the relevant methods. These classes currently have no security declarations. Perhaps all immutable/view classes in collections.abc should be added to the list of basic types in zope.security.checker? Or just declared together with persistent and BTrees classes? For Python 2 we can hedge out the declarations with zcml:condition="not-installed collections.abc". 3) BTrees have problems with security, too. Their items/keys/values methods return objects of classes like OOBTreeItems. On Python 2 zope.security used to pass them through, on Python 3 I'm getting ForbiddenAttribute errors. These classes don't seem importable, so it's not obvious how to declare their permissions. Thoughts? Advice? Albertas _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )