Could someone have a look at the following 'Boring' class with the security 
functionality added (as described in ZopeBook/6.Security and some other products). 
Could 'security' machinery be broken in Zope-2.4.1 ? It surely doesn't seem to work as 
adverised, on my machine at least (Debian Linux 2.2, Zope 2.4.1 (source release) 
python 2.1.0, linux2). Tell me if it works on your installation.
__doc__ = ""
__version__ = '0.1'
import Globals
from Globals import HTMLFile      # fakes a method from a DTML file
from Globals import MessageDialog # provid
from Globals import Persistent    # makes an object stick in the ZODB
import OFS.SimpleItem
import Acquisition
import AccessControl.Role
from AccessControl import ClassSecurityInfo

READ_PERM = 'View Stuff'
WRITE_PERM = 'Change Stuff'
security = ClassSecurityInfo()

manage_addBoringForm = HTMLFile('boringAdd', globals())
def manage_addBoring(self, id, title='', REQUEST=None):
        """Add a Boring to a folder."""
        self._setObject(id, Boring(id, title))
        if REQUEST is not None:
                return self.manage_main(self, REQUEST)

class Boring(
    OFS.SimpleItem.Item,   # A simple Principia object. Not Folderish.
    Persistent,            # Make us persistent. Yaah!
    Acquisition.Implicit,  # Uh, whatever.
    AccessControl.Role.RoleManager # Security manager.
        """Boring object. """
        meta_type = 'Boring' # what do people think they're adding?
        manage_options = ( # what management options are there?
        {'label': 'Edit',       'action': 'manage_main'},
        {'label': 'View',       'action': ''}, # defaults to index_html
        {'label': 'Security',   'action': 'manage_access'},

# NOTE: commented out following as it seem to conflict with 
#              'security.declareP...()' declarations later on
#    __ac_permissions__=( # what permissions make sense for us?
#       ('View management screens', ('manage_tabs','manage_main')),
#       ('Change permissions',      ('manage_access',)           ),
#       ('Change Borings'     ,     ('manage_edit',)             ),
#       ('View Borings',            ('',)                        ),
#       )

        def __init__(self, id, title=''):
                """initialise a new instance of Boring"""
       = id
                self.title = title

#   SECURITY -   ====================================================
# here I played with '#'s, then simply tried to access 'index_html'
# after each security declaration,
# as user 'Anonymous', and noted the results on same line. 
# 'NOT-WORKING' simply means not working as advertised (allowed access when 
# it shouldn't, and vice-versa). As you can see, there are too many 
# 'NOT-WORKING' results. Do you come to similar results?
# My conclusion is that security declarations have no effect whatsoever,
# whether I declare something, then its oposite, I end up with the same
# result. This shouldn't be.

                            ['Stuff Manager','Manager'])
        security.setDefaultAccess('deny')               #       <== NOT-WORKING

#       security.declarePrivate('index_html')   #       <== NOT-WORKING
#       security.declarePublic('index_html')    #       <== OK
#       security.declareProtected(READ_PERM, 'index_html') #  <== NOT-WORKING

        index_html = HTMLFile('index', globals())

        security.declarePublic('manage_main')   #       <== NOT-WORKING
        manage_main = HTMLFile('boringEdit', globals())

        def manage_edit(self, title, REQUEST=None):
                " "
                self.title = title
                if REQUEST is not None:
                    return MessageDialog(
                        title = 'Edited',
                        message = "Properties for %s changed." %,
                        action = './manage_main',



Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to