In playing around with some ideas for enhancing
ZClasses, I stumbled into the following:

Using getClassAttr, you can retrieve any attribute of
the Python ZClass including built-in ones like:

icon
_p_changed
__doc__
_p_oid
meta_type
propertysheets
manage_options
__ac_permissions__
_p_serial
__module__
_p_jar

Somewhat more troubling is the fact that I can change
these values using setClassAttr, possibly hosing
things quite well. I don't know if this is a security
flaw, but it looks kinda iffy to me, especially
__ac_permissions__.

This is a consequence of the fact that these user
defined attributes are stored as straight class
attributes. Perhaps they need to be stored in a
dictionary in the ZClass, although this will
unfortunately complicate inheritance. At the least,
access to methods named _* should be restricted. I
will write a patch for this if it is deemed necessary.

Thoughts anyone?


=====
| Casey Duncan
| Kaivo, Inc.
| [EMAIL PROTECTED]
`----------------->

__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - Buy the things you want at great prices! http://auctions.yahoo.com/

_______________________________________________
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to