Re: [Zope] DiskBased products and security

[Dieter Maurer]

Haim Ashkenazi wrote at 2005-6-13 15:43 +0300:
> ...
>1. __roles__ = () - I didn't understand exactly why but with this
>statement I can't access the product either from the ZMI or directly from
>the web.

This is a (deprecated) alternative for "security.declareObjectPrivate()".

>2. security.setDefaultAccess("deny") - I think I understand why we changed
>that, but it's causing a lot of problems. If I add 'delareProtected' for
>all my methods, I can access certain pages , but with some pages (maybe
>ones that's calling methods form base classes or acquisition like
>'title_or_id') I still get errors ("Unauthorized: You are not allowed to
>access 'title_or_id' in this context"). trying to solve this I started
>adding 'declareProtected' for every method I got error for. I gave up
>after 3 methods, but it seem to help.

Yes, many methods of "OFS.SimpleItem.SimpleItem" and its base
classes rely on its "setDefaultAccess('allow')".

If you change this to "deny", you have to provide the
explicit security declarations.

>so, I was wondering if something was changed in the security model since
>2.5 (the version that the book is about) until 2.7, and is there a place
>where it's documented (the zope developer guide is versioned 2.4)?

"setDefaultAccess('deny')" had a bug in some earlier Zope versions.
With the exception of this fix, nothing changed here for a long
time. You can still use the Zope Developper Guide...

>also, If I'll make sure that every method I have in my module is also
>declared as protected, or public, is there a problem with living the
>default access as any?

As what?

The "default access" also controls access to attributes of
simple type (strings, tuples, dicts, ...) which cannot have
their own security declarations.

If you do not access such attributes directly and
you provide security declarations for all methods you use,
then you can keep "defaultAccess == 'deny'".

-- 
Dieter
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

[Zope] DiskBased products and security

[Haim Ashkenazi]

Hi

I'm following the example of "The Zope Bible" on how to create disk based
products.

after adding the imports, 'InitializeClass(class)' statement and the
'security = ClassSecurityInfo()' statement he recommends two other
statements:

1. __roles__ = () - I didn't understand exactly why but with this
statement I can't access the product either from the ZMI or directly from
the web.

2. security.setDefaultAccess("deny") - I think I understand why we changed
that, but it's causing a lot of problems. If I add 'delareProtected' for
all my methods, I can access certain pages , but with some pages (maybe
ones that's calling methods form base classes or acquisition like
'title_or_id') I still get errors ("Unauthorized: You are not allowed to
access 'title_or_id' in this context"). trying to solve this I started
adding 'declareProtected' for every method I got error for. I gave up
after 3 methods, but it seem to help.

so, I was wondering if something was changed in the security model since
2.5 (the version that the book is about) until 2.7, and is there a place
where it's documented (the zope developer guide is versioned 2.4)?

also, If I'll make sure that every method I have in my module is also
declared as protected, or public, is there a problem with living the
default access as any?

thanx

-- 
Haim


___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )