Haim Ashkenazi wrote at 2005-6-13 15:43 +0300: > ... >1. __roles__ = () - I didn't understand exactly why but with this >statement I can't access the product either from the ZMI or directly from >the web.
This is a (deprecated) alternative for "security.declareObjectPrivate()". >2. security.setDefaultAccess("deny") - I think I understand why we changed >that, but it's causing a lot of problems. If I add 'delareProtected' for >all my methods, I can access certain pages , but with some pages (maybe >ones that's calling methods form base classes or acquisition like >'title_or_id') I still get errors ("Unauthorized: You are not allowed to >access 'title_or_id' in this context"). trying to solve this I started >adding 'declareProtected' for every method I got error for. I gave up >after 3 methods, but it seem to help. Yes, many methods of "OFS.SimpleItem.SimpleItem" and its base classes rely on its "setDefaultAccess('allow')". If you change this to "deny", you have to provide the explicit security declarations. >so, I was wondering if something was changed in the security model since >2.5 (the version that the book is about) until 2.7, and is there a place >where it's documented (the zope developer guide is versioned 2.4)? "setDefaultAccess('deny')" had a bug in some earlier Zope versions. With the exception of this fix, nothing changed here for a long time. You can still use the Zope Developper Guide... >also, If I'll make sure that every method I have in my module is also >declared as protected, or public, is there a problem with living the >default access as any? As what? The "default access" also controls access to attributes of simple type (strings, tuples, dicts, ...) which cannot have their own security declarations. If you do not access such attributes directly and you provide security declarations for all methods you use, then you can keep "defaultAccess == 'deny'". -- Dieter _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )