Re: [Zope] Re: Python Classes and Zope.
Florent Guillaume wrote: Paul Winkler wrote: On Fri, Dec 02, 2005 at 04:12:01PM +0100, Jean-Marc Orliaguet wrote: does zope2 do an access control based on acquisition for public methods, that would be a waste of resources since the answer is always yes, granted ? Well, the thing is, the declaration that makes the method public *has no effect* unless your class participates in acquisition. That's not true. The objects of this class will be perfectly accessible to a restricted user: from AccessControl import ClassSecurityInfo class MyStuff(object): security = ClassSecurityInfo() security.declareObjectPublic() security.setDefaultAccess('allow') def foo(self): return 'bar' InitializeClass(MyStuff) In Zope 2.7.8 I get a segmentation fault when I try to do the above; I also have the following code that manages this for any class (to avoid having to do that for every single class): def _ZopifyClass(a_class): a_class.security = ClassSecurityInfo() a_class.security.declareObjectPublic() # Segmentation fault security.setDefaultAccess('allow') InitializeClass(a_class) I cannot swithc to Zope 2.8 because my code runs in PLone 2.05 and it does not work with Zope 2.8. The segmentation fault occurs in the declareObjectPublic() statement. Is there a fix for the Zope 2.7 to this problem? Thanks. /dario -- -- --- Dario Lopez-Kästen, IT Systems Services Chalmers University of Tech. Lyrics applied to programming application design: emancipate yourself from mental slavery - redemption song, b. marley ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: Python Classes and Zope.
Dario Lopez-Kästen wrote: Florent Guillaume wrote: Paul Winkler wrote: On Fri, Dec 02, 2005 at 04:12:01PM +0100, Jean-Marc Orliaguet wrote: does zope2 do an access control based on acquisition for public methods, that would be a waste of resources since the answer is always yes, granted ? Well, the thing is, the declaration that makes the method public *has no effect* unless your class participates in acquisition. That's not true. The objects of this class will be perfectly accessible to a restricted user: from AccessControl import ClassSecurityInfo class MyStuff(object): security = ClassSecurityInfo() security.declareObjectPublic() security.setDefaultAccess('allow') def foo(self): return 'bar' InitializeClass(MyStuff) In Zope 2.7.8 I get a segmentation fault when I try to do the above; I also have the following code that manages this for any class (to avoid having to do that for every single class): def _ZopifyClass(a_class): a_class.security = ClassSecurityInfo() a_class.security.declareObjectPublic() # Segmentation fault security.setDefaultAccess('allow') InitializeClass(a_class) I cannot swithc to Zope 2.8 because my code runs in PLone 2.05 and it does not work with Zope 2.8. The segmentation fault occurs in the declareObjectPublic() statement. Is there a fix for the Zope 2.7 to this problem? Thanks. /dario is it a typo, or did you mean: a_class.security.setDefaultAccess('allow') ? /JM ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: Python Classes and Zope.
Jean-Marc Orliaguet wrote: is it a typo, or did you mean: a_class.security.setDefaultAccess('allow') it is a type and I do mean a_class.security.setDefaultAccess('allow'). /dario -- -- --- Dario Lopez-Kästen, IT Systems Services Chalmers University of Tech. Lyrics applied to programming application design: emancipate yourself from mental slavery - redemption song, b. marley ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: Python Classes and Zope.
Dario Lopez-Kästen wrote: Florent Guillaume wrote: Paul Winkler wrote: On Fri, Dec 02, 2005 at 04:12:01PM +0100, Jean-Marc Orliaguet wrote: does zope2 do an access control based on acquisition for public methods, that would be a waste of resources since the answer is always yes, granted ? Well, the thing is, the declaration that makes the method public *has no effect* unless your class participates in acquisition. That's not true. The objects of this class will be perfectly accessible to a restricted user: from AccessControl import ClassSecurityInfo class MyStuff(object): security = ClassSecurityInfo() security.declareObjectPublic() security.setDefaultAccess('allow') def foo(self): return 'bar' InitializeClass(MyStuff) In Zope 2.7.8 I get a segmentation fault when I try to do the above; I also have the following code that manages this for any class (to avoid having to do that for every single class): def _ZopifyClass(a_class): a_class.security = ClassSecurityInfo() a_class.security.declareObjectPublic() # Segmentation fault security.setDefaultAccess('allow') InitializeClass(a_class) I cannot swithc to Zope 2.8 because my code runs in PLone 2.05 and it does not work with Zope 2.8. The segmentation fault occurs in the declareObjectPublic() statement. Is there a fix for the Zope 2.7 to this problem? Thanks. /dario that's because it does not seem to work with new-style python classes in zope2.7 it works with: class MyStuff: instead of: class MyStuff(object): This is what you would have got: File /opt/Zope-2.7/lib/python/AccessControl/SecurityInfo.py, line 165, in apply dict['%s__roles__' % name] = access TypeError: object does not support item assignment if you'd run it without the extra call. now, the question is if it's worth the extra effort. /JM ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: Python Classes and Zope.
Jean-Marc Orliaguet wrote: that's because it does not seem to work with new-style python classes in zope2.7 it works with: class MyStuff: instead of: class MyStuff(object): This is what you would have got: File /opt/Zope-2.7/lib/python/AccessControl/SecurityInfo.py, line 165, in apply dict['%s__roles__' % name] = access TypeError: object does not support item assignment if you'd run it without the extra call. now, the question is if it's worth the extra effort. aha!; thanks for the explanation. Well, as you know, we have not officially gotten so far with implementing new style class features on our base classes (that is, unless you have checked in som extra code lately that relies on NSC) Considering the time frame we are living with - yes, not using NSC is definitely the way to go for now, until I have time to upgrade to Plone 2.1.1 and Zope 2.8 or 2.9. Thanks! /dario -- -- --- Dario Lopez-Kästen, IT Systems Services Chalmers University of Tech. Lyrics applied to programming application design: emancipate yourself from mental slavery - redemption song, b. marley ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: Python Classes and Zope.
On Fri, Dec 02, 2005 at 11:57:16PM +0100, Florent Guillaume wrote: Paul Winkler wrote: (snip) Well, the thing is, the declaration that makes the method public *has no effect* unless your class participates in acquisition. That's not true. The objects of this class will be perfectly accessible to a restricted user: from AccessControl import ClassSecurityInfo class MyStuff(object): security = ClassSecurityInfo() security.declareObjectPublic() security.setDefaultAccess('allow') def foo(self): return 'bar' InitializeClass(MyStuff) Which also can be written more shorly an less invasively: class MyStuff(object): def foo(self): return 'bar' from AccessControl import allow_class allow_class(MyStuff) So it is. Thanks for the clarification. What confused me is that the following *does* need the inheritance from Acquisition: from Acquisition import Implicit class Foo3(Implicit): security = ClassSecurityInfo() security.declarePublic('bar') def bar(self): return hello from foo3 InitializeClass(Foo3) In this case, if you remove the (Implicit), you get AccessDenied because The container has no security assertions. I mistakenly assumed that the same was necessary when using allow_class. Thanks for clearing that up. Oh, and the instance needs to be given an acquisition context, too. e.g. foo = foo.__of__.some_parent It's only if you want to protect a method with a specific permission that's not public or private that you'll have to provide acquisition context so that Zope can find out what roles have this permission and match them against the current user's roles: Apparently you're right about this too :-) I never knew that. Thanks. -- Paul Winkler http://www.slinkp.com ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: Python Classes and Zope.
Paul Winkler wrote: On Fri, Dec 02, 2005 at 04:12:01PM +0100, Jean-Marc Orliaguet wrote: does zope2 do an access control based on acquisition for public methods, that would be a waste of resources since the answer is always yes, granted ? Well, the thing is, the declaration that makes the method public *has no effect* unless your class participates in acquisition. That's not true. The objects of this class will be perfectly accessible to a restricted user: from AccessControl import ClassSecurityInfo class MyStuff(object): security = ClassSecurityInfo() security.declareObjectPublic() security.setDefaultAccess('allow') def foo(self): return 'bar' InitializeClass(MyStuff) Which also can be written more shorly an less invasively: class MyStuff(object): def foo(self): return 'bar' from AccessControl import allow_class allow_class(MyStuff) allow_class does the same thing as declareObjectPublic + setDefaultAccess('allow') For instance you could have in you this same code: from AccessControl import ModuleSecurityInfo ModuleSecurityInfo('Products.ThisProduct.ThisFile' ).declarePublic('getStuff') def getStuff(): return MyStuff() And in restricted code you can then do: from Products.ThisProduct.ThisFile import getStuff ob = getStuff() v = ob.foo() Oh, and the instance needs to be given an acquisition context, too. e.g. foo = foo.__of__.some_parent It's only if you want to protect a method with a specific permission that's not public or private that you'll have to provide acquisition context so that Zope can find out what roles have this permission and match them against the current user's roles: class MyStuff(Acquisition.Implicit): security = ClassSecurityInfo() security.declareObjectPublic() security.setDefaultAccess('allow') def foo(self): return 'bar' security.declareProtected('View') def viewit(self): return 'yo mama' InitializeClass(MyStuff) ... def getStuff(context): return MyStuff().__of__(context) Then in restricted code you'll be able to do: ... ob = getStuff(context) v = ob.viewit() Florent -- Florent Guillaume, Nuxeo (Paris, France) Director of RD +33 1 40 33 71 59 http://nuxeo.com [EMAIL PROTECTED] ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )