Tres Seaver wrote at 2004-10-9 12:04 -0400:
>Stefan H. Holek wrote:
>> While testing a large-ish customer project under Zope 2.7.3 we found that
>> when an object with setDefaultAccess('deny') is used as the context for
>> a PythonScript, the script can no longer aquire tools from the portal
>> root.
>*By definition*, anybody who has declared 'setDefaultAccess('deny') 
>*wants* the behavior you describe:  that declaration says, "unless I 
>give you explicit permission for using a name, refuse."

I do *NOT* think that this is the intended semantics of

In my view, "setDefaultAccess(XXX)" should only affect objects
that do not have security declarations themselves.
Acquired tools have security declarations -- they should not be
affected by "setDefaultAccess".

>If Plone has classes which make such assertions, then either the authors 
>*meant* them, or they need to be removed.  This is (literally) the same 
>thing as declaring '__allow_access_to_unprotected_subobjects__ = 0' in 
>your class.

With this name, it becomes even clearer:

  Acquires tools are neither "unprotected" nor "subobjects".

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to