In playing around with some ideas for enhancing ZClasses, I stumbled into the following: Using getClassAttr, you can retrieve any attribute of the Python ZClass including built-in ones like: icon _p_changed __doc__ _p_oid meta_type propertysheets manage_options __ac_permissions__ _p_serial __module__ _p_jar Somewhat more troubling is the fact that I can change these values using setClassAttr, possibly hosing things quite well. I don't know if this is a security flaw, but it looks kinda iffy to me, especially __ac_permissions__. This is a consequence of the fact that these user defined attributes are stored as straight class attributes. Perhaps they need to be stored in a dictionary in the ZClass, although this will unfortunately complicate inheritance. At the least, access to methods named _* should be restricted. I will write a patch for this if it is deemed necessary. Thoughts anyone? ===== | Casey Duncan | Kaivo, Inc. | [EMAIL PROTECTED] `-----------------> __________________________________________________ Do You Yahoo!? Yahoo! Auctions - Buy the things you want at great prices! http://auctions.yahoo.com/ _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
