[Zope-dev] Re: 2.7.3 beta attribute permission problems

Tres Seaver Tue, 19 Oct 2004 13:38:10 -0700

Dieter Maurer wrote:

Santi Camps wrote at 2004-10-19 15:05 +0200:
... Error Type: Unauthorized* *Error Value: The container has no security assertions. Access to 'get_sum_of_values' of (Adapter instance at 40ae6ac0) denied.*
This tells you that the container containing "get_sum_of_values"
does not have security assertions. Is this wrong?

The container (the class Test.Test in Santi'a product) does have security assertions for *itself*:

class Test(OrderedFolder):
    """
    Test
    """

    meta_type       = 'AccessControl Test'

    security = ClassSecurityInfo()
    security.declareObjectProtected('View')

However it makes no assertion for the attribute 'get_sum_of_values':

    ############################################################
    def get_sum_of_values(self):
        """
        """
        return self.value1 + self.value2

AFAICT, the new behavior is perfectly correct here: absent either an explicit permisison declaration for 'get_sum_of_values', or a "blanket grant" for unprotected subobjects (e.g, 'security.setDefaultAccess(1)'), the template which fails *should* fail; the fact that it used to succeed was merely a security hole.

Tres.
--
===============================================================
Tres Seaver                                [EMAIL PROTECTED]
Zope Corporation      "Zope Dealers"       http://www.zope.com

_______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )

[Zope-dev] Re: 2.7.3 beta attribute permission problems

Reply via email to