[Zope-dev] Re: Zope 2 security and SimpleItem
[Intended for zope-dev actually...]
Florent Guillaume wrote:
Florent Guillaume wrote:
I'm in the process of refactoring OFS to use new-style security
declarations (about time ;)), and I stumbled on something which may
or may not be a bug, I don't know, I'd like some else's opinion:
The class SimpleItem has the definition (it's been there since the
begining of time when SimpleItem was created):
__ac_permissions__=(('View', ()),)
The unusual thing here is () instead of ('',).
Hm I now realize that this may be there just to define the View
permission as available but that's all. But there's still a discrepancy
in the way SecurityInfo treats it.
Ok I got to the reasons for that, it all dates back to the origins of
SecurityInfo in December 2000 when it originally had methods that did
the work of both declareProtected and declareObjectProtected. I'll fix this.
Florent
Anyway I'm further in understanding securiy in Z2 than I've ever been :)
Florent
I think the intent here is that it be the object level protection,
equivalent to the modern declareObjectProtected('View').
Indeed, if the SimpleItem class had a
security = ClassSecurityInfo()
(even by itself without further security declaration), then
AccessControl/SecurityInfo, which has the code
# Empty names list sets access to the class itself, named ''
if not len(names):
names = ('',)
would actually turn the () into a ('',) and the rest of the end of
the security setup, in App/class_init.py, would set
SimpleItem.__roles__ = PermissionRole('View') and that would be it.
However SimpleItem does *not* have this ClassSecurityInfo, which
means that the code above is not called, and the final logic in
class_init.py does not turn an empty tuple into protect the object.
It means that SimpleItem does not have an object level protection of
View (but the default which is that only Manager has access), which
is probably as well but not clear from the code.
What do you think I should do?
- fix to use View?
- fix to use nothing?
Florent
--
Florent Guillaume, Nuxeo (Paris, France) Director of RD
+33 1 40 33 71 59 http://nuxeo.com
[EMAIL PROTECTED]
___
Zope-CMF maillist - [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-cmf
See http://collector.zope.org/CMF for bug reports and feature requests
--
Florent Guillaume, Nuxeo (Paris, France) Director of RD
+33 1 40 33 71 59 http://nuxeo.com [EMAIL PROTECTED]
___
Zope-Dev maillist - Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: Zope 2 security and SimpleItem
On Nov 20, 2005, at 11:28 AM, Florent Guillaume wrote: [Intended for zope-dev actually...] Florent Guillaume wrote: Ok I got to the reasons for that, it all dates back to the origins of SecurityInfo in December 2000 when it originally had methods that did the work of both declareProtected and declareObjectProtected. I'll fix this. Florent Whew, glad you figured it out because I had no clue. ;-) - C ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: UI improvements
On 18 Nov 2005, at 23:19, Alexander Limi wrote: On Fri, 18 Nov 2005 06:56:32 -0800, Andreas Jung [EMAIL PROTECTED] jung.com wrote: In general such changes should be made on the HEAD (for next 2.10 release). OK. I was aiming for a quick sprint to get some small changes into 2.9 before release (ie. no actual code changes, just moving text and eliminating HappyTalk™ to make the interface usage clearer). IMHO if this is just UI changes that improve usability it should be OK to flout the rules a bit. The rules are there to ensure code quality and stability in a release branch - I doubt small UI changes endanger those. jens ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Bad security declarations
I've added a long-needed warning if you attempt to make a security declaration for a nonexistent method, usually because of typos. Checked in for 2.8, 2.9 and trunk. Look carefuly for WARNING in your logs, there are already a few bad ones in CMF (I don't have time to fix them tonight though): WARNING Init Class Products.CMFCore.PortalContent.PortalContent has a security declaration for nonexistent method 'manage_FTPget' WARNING Init Class Products.CMFSetup.tool.SetupTool has a security declaration for nonexistent method 'getImportContextId' WARNING Init Class Products.CMFSetup.tool.SetupTool has a security declaration for nonexistent method 'runAllSetupSteps' WARNING Init Class Products.CMFSetup.tool.SetupTool has a security declaration for nonexistent method 'executeStep' Florent -- Florent Guillaume, Nuxeo (Paris, France) Director of RD +33 1 40 33 71 59 http://nuxeo.com [EMAIL PROTECTED] ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Bad security declarations
On Mon, Nov 21, 2005 at 01:24:52AM +0100, Florent Guillaume wrote: I've added a long-needed warning if you attempt to make a security declaration for a nonexistent method, usually because of typos. Checked in for 2.8, 2.9 and trunk. You are my hero :-) -- Paul Winkler http://www.slinkp.com ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
