On Mon, 13 Jun 2005 19:13:14 +0200, Dieter Maurer wrote:

> Haim Ashkenazi wrote at 2005-6-13 15:43 +0300:
>> ...
>>1. __roles__ = () - I didn't understand exactly why but with this
>>statement I can't access the product either from the ZMI or directly from
>>the web.
> This is a (deprecated) alternative for "security.declareObjectPrivate()".
>>2. security.setDefaultAccess("deny") - I think I understand why we changed
>>that, but it's causing a lot of problems. If I add 'delareProtected' for
>>all my methods, I can access certain pages , but with some pages (maybe
>>ones that's calling methods form base classes or acquisition like
>>'title_or_id') I still get errors ("Unauthorized: You are not allowed to
>>access 'title_or_id' in this context"). trying to solve this I started
>>adding 'declareProtected' for every method I got error for. I gave up
>>after 3 methods, but it seem to help.
> Yes, many methods of "OFS.SimpleItem.SimpleItem" and its base
> classes rely on its "setDefaultAccess('allow')".
> If you change this to "deny", you have to provide the
> explicit security declarations.
>>so, I was wondering if something was changed in the security model since
>>2.5 (the version that the book is about) until 2.7, and is there a place
>>where it's documented (the zope developer guide is versioned 2.4)?
> "setDefaultAccess('deny')" had a bug in some earlier Zope versions.
> With the exception of this fix, nothing changed here for a long
> time. You can still use the Zope Developper Guide...
>>also, If I'll make sure that every method I have in my module is also
>>declared as protected, or public, is there a problem with living the
>>default access as any?
> As what?
sorry, I was unclear there :)

what I meant is if I won't leave any method undeclaired (security wise) in
my class, will it be a security risc to leave the default access
(setDefaultAccess('any'))? can I protect uncallable objects (like
variables) the same way?

> The "default access" also controls access to attributes of simple type
> (strings, tuples, dicts, ...) which cannot have their own security
> declarations.
> If you do not access such attributes directly and you provide security
> declarations for all methods you use, then you can keep "defaultAccess
> == 'deny'".
thanx a lot for a very informative answer.


Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to