[Zope-dev] Re: Zope 2 security and SimpleItem

Sat, 19 Nov 2005 18:45:15 -0800 

Florent Guillaume wrote:
I'm in the process of refactoring OFS to use new-style security declarations (about time ;)), and I stumbled on something which may or may not be a bug, I don't know, I'd like some else's opinion: 


The class SimpleItem has the definition (it's been there since the  
begining of time when SimpleItem was created):

    __ac_permissions__=(('View', ()),)
The unusual thing here is () instead of ('',).



Hm I now realize that this may be there just to define the View 
permission as available but that's all. But there's still a discrepancy 
in the way SecurityInfo treats it.


Anyway I'm further in understanding securiy in Z2 than I've ever been :)

Florent



I think the intent here is that it be the object level protection,  
equivalent to the modern declareObjectProtected('View').

Indeed, if the SimpleItem class had a
  security = ClassSecurityInfo()

(even by itself without further security declaration), then  
AccessControl/SecurityInfo, which has the code

        # Empty names list sets access to the class itself, named ''
        if not len(names):
            names = ('',)

would actually turn the () into a ('',) and the rest of the end of  the 
security setup, in App/class_init.py, would set  SimpleItem.__roles__ = 
PermissionRole('View') and that would be it.



However SimpleItem does *not* have this ClassSecurityInfo, which  means 
that the code above is not called, and the final logic in  class_init.py 
does not turn an empty tuple into "protect the object".



It means that SimpleItem does not have an object level protection of  
View (but the default which is that only Manager has access), which  is 
probably as well but not clear from the code.


What do you think I should do?
- fix to use View?
- fix to use nothing?

Florent




--
Florent Guillaume, Nuxeo (Paris, France)   Director of R&D
+33 1 40 33 71 59   http://nuxeo.com   [EMAIL PROTECTED]
_______________________________________________
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **

(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope )






















					Reply via email to