Stefan H. Holek wrote:
Note that I found it to be relevant which object I want to acquire (don't ask me why, though).

Because the policy checks the roles on the acquired object? As Dieter points out, 'setDefaultAccess(deny)' should only apply to subobjects which do *not* have their own roles.

E.g. going back to my CMFDefault examples, I *can* acquire portal_workflow and portal_url, but I can *not* acquire portal_membership and acl_users from a denied context. Go figure.

If I change the test below to "app.wanted = PartlyProtectedSimpleItem3()" the test fails on current 2_7-branch ...

But that test fails on 2.7.2, as well. My change was actually to the implementation of 'guarded_getattr', which is not tested in 'testZopeSecurityPolicy' (the location of my original patch); rather, its tests are in 'testZopeGuards' (where my second patch applies).

I have not yet bee able to write a good test there yet (one which either passes on the 2.7 head and fails for 2.7.2, or vice versa).

Tres Seaver                                [EMAIL PROTECTED]
Zope Corporation      "Zope Dealers"

Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists - )

Reply via email to