While porting one ZTK app to Python 3 I discovered the following
problems with zope.security:

1) There was a package zope.app.security, which, along with zope.app
baggage provided security declarations for BTrees and PersistentDict,
PersistentList.  They were in a separate file, _protections.zcml.
What would be a good place for these from now on?  zope.security?

There is also a file globalmodules.zcml in zope.app.security, which
declares public APIs of a lot of standard library modules.  These
declarations don't seem to enable open access on attributes of those
classes, though.  Is that a leftover of old untrusted TTW code
attempts or does it do something useful?

2) PersistentDict on Py3 is based on collections.abc.Mapping, which
uses classes such as collections.abc.View, KeysView, ValuesView
for the results of the relevant methods.  These classes currently have
no security declarations.  Perhaps all immutable/view classes in
collections.abc should be added to the list of basic types in
zope.security.checker?  Or just declared together with persistent and
BTrees classes?  For Python 2 we can hedge out the declarations with
zcml:condition="not-installed collections.abc".

3) BTrees have problems with security, too.  Their items/keys/values
methods return objects of classes like OOBTreeItems.  On Python 2
zope.security used to pass them through, on Python 3 I'm getting
ForbiddenAttribute errors.  These classes don't seem importable, so
it's not obvious how to declare their permissions.

Thoughts?  Advice?

Zope-Dev maillist  -  Zope-Dev@zope.org
**  No cross posts or HTML encoding!  **
(Related lists -
 https://mail.zope.org/mailman/listinfo/zope )

Reply via email to