[Zope] Re: Python Classes and Zope.

Fri, 02 Dec 2005 14:57:18 -0800 

Paul Winkler wrote:

On Fri, Dec 02, 2005 at 04:12:01PM +0100, Jean-Marc Orliaguet wrote:
does zope2 do an access control based on acquisition for public methods, that would be a waste of resources since the answer is always "yes, granted" ? 


Well, the thing is, the declaration that makes the method public
*has no effect* unless your class participates in acquisition.
That's not true. The objects of this class will be perfectly accessible to a restricted user: 

  from AccessControl import ClassSecurityInfo
  class MyStuff(object):
      security = ClassSecurityInfo()
      security.declareObjectPublic()
      security.setDefaultAccess('allow')
      def foo(self):
          return 'bar'
  InitializeClass(MyStuff)

Which also can be written more shorly an less invasively:

  class MyStuff(object):
      def foo(self):
          return 'bar'
  from AccessControl import allow_class
  allow_class(MyStuff)
allow_class does the same thing as declareObjectPublic + setDefaultAccess('allow') 

For instance you could have in you this same code:

  from AccessControl import ModuleSecurityInfo
  ModuleSecurityInfo('Products.ThisProduct.ThisFile'
    ).declarePublic('getStuff')
  def getStuff():
    return MyStuff()

And in restricted code you can then do:

  from Products.ThisProduct.ThisFile import getStuff
  ob = getStuff()
  v = ob.foo()

>
> Oh, and the instance needs to be given an acquisition context, too.
> e.g.  foo = foo.__of__.some_parent
>
It's only if you want to protect a method with a specific permission that's not public or private that you'll have to provide acquisition context so that Zope can find out what roles have this permission and match them against the current user's roles: 

  class MyStuff(Acquisition.Implicit):
      security = ClassSecurityInfo()
      security.declareObjectPublic()
      security.setDefaultAccess('allow')
      def foo(self):
          return 'bar'
      security.declareProtected('View')
      def viewit(self):
          return 'yo mama'
  InitializeClass(MyStuff)
  ...
  def getStuff(context):
    return MyStuff().__of__(context)

Then in restricted code you'll be able to do:

  ...
  ob = getStuff(context)
  v = ob.viewit()

Florent

--
Florent Guillaume, Nuxeo (Paris, France)   Director of R&D
+33 1 40 33 71 59   http://nuxeo.com   [EMAIL PROTECTED]
_______________________________________________
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce 
http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to