Could someone have a look at the following 'Boring' class with the security functionality added (as described in ZopeBook/6.Security and some other products). Could 'security' machinery be broken in Zope-2.4.1 ? It surely doesn't seem to work as adverised, on my machine at least (Debian Linux 2.2, Zope 2.4.1 (source release) python 2.1.0, linux2). Tell me if it works on your installation.
Boring.py -------------------------------- __doc__ = "" __version__ = '0.1' import Globals from Globals import HTMLFile # fakes a method from a DTML file from Globals import MessageDialog # provid from Globals import Persistent # makes an object stick in the ZODB import OFS.SimpleItem import Acquisition import AccessControl.Role from AccessControl import ClassSecurityInfo READ_PERM = 'View Stuff' WRITE_PERM = 'Change Stuff' security = ClassSecurityInfo() manage_addBoringForm = HTMLFile('boringAdd', globals()) def manage_addBoring(self, id, title='', REQUEST=None): """Add a Boring to a folder.""" self._setObject(id, Boring(id, title)) if REQUEST is not None: return self.manage_main(self, REQUEST) class Boring( OFS.SimpleItem.Item, # A simple Principia object. Not Folderish. Persistent, # Make us persistent. Yaah! Acquisition.Implicit, # Uh, whatever. AccessControl.Role.RoleManager # Security manager. ): """Boring object. """ meta_type = 'Boring' # what do people think they're adding? manage_options = ( # what management options are there? {'label': 'Edit', 'action': 'manage_main'}, {'label': 'View', 'action': ''}, # defaults to index_html {'label': 'Security', 'action': 'manage_access'}, ) # NOTE: commented out following as it seem to conflict with # 'security.declareP...()' declarations later on # __ac_permissions__=( # what permissions make sense for us? # ('View management screens', ('manage_tabs','manage_main')), # ('Change permissions', ('manage_access',) ), # ('Change Borings' , ('manage_edit',) ), # ('View Borings', ('',) ), # ) def __init__(self, id, title=''): """initialise a new instance of Boring""" self.id = id self.title = title # SECURITY - ==================================================== # here I played with '#'s, then simply tried to access 'index_html' # after each security declaration, # as user 'Anonymous', and noted the results on same line. # 'NOT-WORKING' simply means not working as advertised (allowed access when # it shouldn't, and vice-versa). As you can see, there are too many # 'NOT-WORKING' results. Do you come to similar results? # My conclusion is that security declarations have no effect whatsoever, # whether I declare something, then its oposite, I end up with the same # result. This shouldn't be. security.setPermissionDefault(READ_PERM, ['Stuff Manager','Manager']) security.setDefaultAccess('deny') # <== NOT-WORKING # security.declarePrivate('index_html') # <== NOT-WORKING # security.declarePublic('index_html') # <== OK # security.declareProtected(READ_PERM, 'index_html') # <== NOT-WORKING index_html = HTMLFile('index', globals()) security.declarePublic('manage_main') # <== NOT-WORKING manage_main = HTMLFile('boringEdit', globals()) def manage_edit(self, title, REQUEST=None): " " self.title = title if REQUEST is not None: return MessageDialog( title = 'Edited', message = "Properties for %s changed." % self.id, action = './manage_main', ) Globals.InitializeClass(Boring) -------------------------------- _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )