Re: [Zope] Re: Python Classes and Zope.
Florent Guillaume wrote:
Paul Winkler wrote:
On Fri, Dec 02, 2005 at 04:12:01PM +0100, Jean-Marc Orliaguet wrote:
does zope2 do an access control based on acquisition for public
methods, that would be a waste of resources since the answer is
always yes, granted ?
Well, the thing is, the declaration that makes the method public
*has no effect* unless your class participates in acquisition.
That's not true. The objects of this class will be perfectly accessible
to a restricted user:
from AccessControl import ClassSecurityInfo
class MyStuff(object):
security = ClassSecurityInfo()
security.declareObjectPublic()
security.setDefaultAccess('allow')
def foo(self):
return 'bar'
InitializeClass(MyStuff)
In Zope 2.7.8 I get a segmentation fault when I try to do the above; I
also have the following code that manages this for any class (to avoid
having to do that for every single class):
def _ZopifyClass(a_class):
a_class.security = ClassSecurityInfo()
a_class.security.declareObjectPublic() # Segmentation fault
security.setDefaultAccess('allow')
InitializeClass(a_class)
I cannot swithc to Zope 2.8 because my code runs in PLone 2.05 and it
does not work with Zope 2.8.
The segmentation fault occurs in the declareObjectPublic() statement.
Is there a fix for the Zope 2.7 to this problem?
Thanks.
/dario
--
-- ---
Dario Lopez-Kästen, IT Systems Services Chalmers University of Tech.
Lyrics applied to programming application design:
emancipate yourself from mental slavery - redemption song, b. marley
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: Python Classes and Zope.
Dario Lopez-Kästen wrote:
Florent Guillaume wrote:
Paul Winkler wrote:
On Fri, Dec 02, 2005 at 04:12:01PM +0100, Jean-Marc Orliaguet wrote:
does zope2 do an access control based on acquisition for public
methods, that would be a waste of resources since the answer is
always yes, granted ?
Well, the thing is, the declaration that makes the method public
*has no effect* unless your class participates in acquisition.
That's not true. The objects of this class will be perfectly
accessible to a restricted user:
from AccessControl import ClassSecurityInfo
class MyStuff(object):
security = ClassSecurityInfo()
security.declareObjectPublic()
security.setDefaultAccess('allow')
def foo(self):
return 'bar'
InitializeClass(MyStuff)
In Zope 2.7.8 I get a segmentation fault when I try to do the above; I
also have the following code that manages this for any class (to avoid
having to do that for every single class):
def _ZopifyClass(a_class):
a_class.security = ClassSecurityInfo()
a_class.security.declareObjectPublic() # Segmentation fault
security.setDefaultAccess('allow')
InitializeClass(a_class)
I cannot swithc to Zope 2.8 because my code runs in PLone 2.05 and it
does not work with Zope 2.8.
The segmentation fault occurs in the declareObjectPublic() statement.
Is there a fix for the Zope 2.7 to this problem?
Thanks.
/dario
is it a typo, or did you mean:
a_class.security.setDefaultAccess('allow')
?
/JM
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: Python Classes and Zope.
Jean-Marc Orliaguet wrote:
is it a typo, or did you mean:
a_class.security.setDefaultAccess('allow')
it is a type and I do mean a_class.security.setDefaultAccess('allow').
/dario
--
-- ---
Dario Lopez-Kästen, IT Systems Services Chalmers University of Tech.
Lyrics applied to programming application design:
emancipate yourself from mental slavery - redemption song, b. marley
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: Python Classes and Zope.
Dario Lopez-Kästen wrote:
Florent Guillaume wrote:
Paul Winkler wrote:
On Fri, Dec 02, 2005 at 04:12:01PM +0100, Jean-Marc Orliaguet wrote:
does zope2 do an access control based on acquisition for public
methods, that would be a waste of resources since the answer is
always yes, granted ?
Well, the thing is, the declaration that makes the method public
*has no effect* unless your class participates in acquisition.
That's not true. The objects of this class will be perfectly
accessible to a restricted user:
from AccessControl import ClassSecurityInfo
class MyStuff(object):
security = ClassSecurityInfo()
security.declareObjectPublic()
security.setDefaultAccess('allow')
def foo(self):
return 'bar'
InitializeClass(MyStuff)
In Zope 2.7.8 I get a segmentation fault when I try to do the above; I
also have the following code that manages this for any class (to avoid
having to do that for every single class):
def _ZopifyClass(a_class):
a_class.security = ClassSecurityInfo()
a_class.security.declareObjectPublic() # Segmentation fault
security.setDefaultAccess('allow')
InitializeClass(a_class)
I cannot swithc to Zope 2.8 because my code runs in PLone 2.05 and it
does not work with Zope 2.8.
The segmentation fault occurs in the declareObjectPublic() statement.
Is there a fix for the Zope 2.7 to this problem?
Thanks.
/dario
that's because it does not seem to work with new-style python classes in
zope2.7
it works with:
class MyStuff:
instead of:
class MyStuff(object):
This is what you would have got:
File /opt/Zope-2.7/lib/python/AccessControl/SecurityInfo.py, line
165, in apply
dict['%s__roles__' % name] = access
TypeError: object does not support item assignment
if you'd run it without the extra call.
now, the question is if it's worth the extra effort.
/JM
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: Python Classes and Zope.
Jean-Marc Orliaguet wrote: that's because it does not seem to work with new-style python classes in zope2.7 it works with: class MyStuff: instead of: class MyStuff(object): This is what you would have got: File /opt/Zope-2.7/lib/python/AccessControl/SecurityInfo.py, line 165, in apply dict['%s__roles__' % name] = access TypeError: object does not support item assignment if you'd run it without the extra call. now, the question is if it's worth the extra effort. aha!; thanks for the explanation. Well, as you know, we have not officially gotten so far with implementing new style class features on our base classes (that is, unless you have checked in som extra code lately that relies on NSC) Considering the time frame we are living with - yes, not using NSC is definitely the way to go for now, until I have time to upgrade to Plone 2.1.1 and Zope 2.8 or 2.9. Thanks! /dario -- -- --- Dario Lopez-Kästen, IT Systems Services Chalmers University of Tech. Lyrics applied to programming application design: emancipate yourself from mental slavery - redemption song, b. marley ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: Python Classes and Zope.
On Fri, Dec 02, 2005 at 11:57:16PM +0100, Florent Guillaume wrote:
Paul Winkler wrote:
(snip)
Well, the thing is, the declaration that makes the method public
*has no effect* unless your class participates in acquisition.
That's not true. The objects of this class will be perfectly accessible
to a restricted user:
from AccessControl import ClassSecurityInfo
class MyStuff(object):
security = ClassSecurityInfo()
security.declareObjectPublic()
security.setDefaultAccess('allow')
def foo(self):
return 'bar'
InitializeClass(MyStuff)
Which also can be written more shorly an less invasively:
class MyStuff(object):
def foo(self):
return 'bar'
from AccessControl import allow_class
allow_class(MyStuff)
So it is. Thanks for the clarification.
What confused me is that the following *does* need
the inheritance from Acquisition:
from Acquisition import Implicit
class Foo3(Implicit):
security = ClassSecurityInfo()
security.declarePublic('bar')
def bar(self):
return hello from foo3
InitializeClass(Foo3)
In this case, if you remove the (Implicit),
you get AccessDenied because The container has no security assertions.
I mistakenly assumed that the same was necessary when using
allow_class. Thanks for clearing that up.
Oh, and the instance needs to be given an acquisition context, too.
e.g. foo = foo.__of__.some_parent
It's only if you want to protect a method with a specific permission
that's not public or private that you'll have to provide acquisition
context so that Zope can find out what roles have this permission and
match them against the current user's roles:
Apparently you're right about this too :-)
I never knew that. Thanks.
--
Paul Winkler
http://www.slinkp.com
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: Python Classes and Zope.
Paul Winkler wrote:
On Fri, Dec 02, 2005 at 04:12:01PM +0100, Jean-Marc Orliaguet wrote:
does zope2 do an access control based on acquisition for public methods,
that would be a waste of resources since the answer is always yes,
granted ?
Well, the thing is, the declaration that makes the method public
*has no effect* unless your class participates in acquisition.
That's not true. The objects of this class will be perfectly accessible
to a restricted user:
from AccessControl import ClassSecurityInfo
class MyStuff(object):
security = ClassSecurityInfo()
security.declareObjectPublic()
security.setDefaultAccess('allow')
def foo(self):
return 'bar'
InitializeClass(MyStuff)
Which also can be written more shorly an less invasively:
class MyStuff(object):
def foo(self):
return 'bar'
from AccessControl import allow_class
allow_class(MyStuff)
allow_class does the same thing as declareObjectPublic +
setDefaultAccess('allow')
For instance you could have in you this same code:
from AccessControl import ModuleSecurityInfo
ModuleSecurityInfo('Products.ThisProduct.ThisFile'
).declarePublic('getStuff')
def getStuff():
return MyStuff()
And in restricted code you can then do:
from Products.ThisProduct.ThisFile import getStuff
ob = getStuff()
v = ob.foo()
Oh, and the instance needs to be given an acquisition context, too.
e.g. foo = foo.__of__.some_parent
It's only if you want to protect a method with a specific permission
that's not public or private that you'll have to provide acquisition
context so that Zope can find out what roles have this permission and
match them against the current user's roles:
class MyStuff(Acquisition.Implicit):
security = ClassSecurityInfo()
security.declareObjectPublic()
security.setDefaultAccess('allow')
def foo(self):
return 'bar'
security.declareProtected('View')
def viewit(self):
return 'yo mama'
InitializeClass(MyStuff)
...
def getStuff(context):
return MyStuff().__of__(context)
Then in restricted code you'll be able to do:
...
ob = getStuff(context)
v = ob.viewit()
Florent
--
Florent Guillaume, Nuxeo (Paris, France) Director of RD
+33 1 40 33 71 59 http://nuxeo.com [EMAIL PROTECTED]
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
