[Zope-dev] attribute protection question
In the new security model is it just attributes that are methods that are protected or is it all attributes? For example, I have a lump of text in an Article class which is stored in self.body. Now, would I need body__roles__=None or somethign similar to be able to do: dtml-var body ? cheers, Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
RE: [Zope-dev] attribute protection question
In the new security model is it just attributes that are methods that are protected or is it all attributes? All attributes - methods just happen to be the most common case. Now, would I need body__roles__=None or somethign similar to be able to do: dtml-var body Yes, or (better) associate the name of the attribute with a permission. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
RE: [Zope-dev] attribute protection question
Hmmm. Hence the problem with properties that meant OFS.Item.SimpleItem had to have __allow_access_to_unprotected_subobjects__=1? Can you not just assign roles to properties as they're created or am I missing something else? That's one way to do it - but it will require some thought to make sure we do it right. Having the "=1" assertion is a short-term solution intended to avoid breaking everyone's code for 2.2 while taking a step on the road to changing the default policy. I expect that it will soon make a distinction between properties and attributes that are not properties, which will be the next step on the road. I'd like to see this for 2.3, but I don't promise specific features for particular release numbers anymore :) I do want it to be Soon. My hope is that we'll release a 2.x beta where: o far less things are available via the __allow_... hack o product authors and app builders will have auth problems because they're using attrs formerly covered by the hack o the new security assertion spelling from dev.zope.org will be available and make it much easier for people to go in and protect the problem attrs correctly :) o most if not all of the Zope core will be using the new assertion style, which will help the product authors along with the "guide" to making security assertions that will be a deliverable of that dev.zope.org project o we'll be one more step closer to where we want to be Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
