Stefan H. Holek wrote:
While testing a large-ish customer project under Zope 2.7.3 we found that
when an object with setDefaultAccess('deny') is used as the context for
a PythonScript, the script can no longer aquire tools from the portal

*By definition*, anybody who has declared 'setDefaultAccess('deny') *wants* the behavior you describe: that declaration says, "unless I give you explicit permission for using a name, refuse."

If Plone has classes which make such assertions, then either the authors *meant* them, or they need to be removed. This is (literally) the same thing as declaring '__allow_access_to_unprotected_subobjects__ = 0' in your class.

You could still acquire explicit objects from above, e.g.:

  - Make the class derive from Acquisition.Explicit (might not be
    necessary;  I can't recall whether the 'Acquired' bit works also
    for Acquisition.Implicit instances).

  - For each attribute you want to acquire, add 'foo = Acquired()',
    to the class

  - Make security assertions about each attribute.

Because a test says more than a thousand words, I added one to CMFDefault.

Your test doesn't really belong in CMF, as you are arguing that the current implemtation in Zope is broken.

Please *don't* check such a test in on the HEAD (or branch head) until after this discussion is resolved.

To reproduce:
- get Zope-2_7-branch
- get CMF-1_4-branch
- run tests of CMFDefault, notably

Rolling back this checkin restores functionality:

Note that I was unable to reproduce the issue with CMF 1.5 (or plain Zope, for
that matter). What has changed? Beats me! Note that this issue has the potential
to break each and every Plone site out there.

Ultimately, I feel that unless there is a *very* good reason for removing the aq_acquire call from cAccessControl/ImplPython it should be restored.

Thank you for making the case reproducible; Richard Jones had reported this issue earlier, but couldn't cut it down to a simple case. I will work on adding tests to AccessControl which make the intent clear (we can still argue about whether to keep the change).

Zope Corporation "Zope Dealers"
Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists - )

Reply via email to