On Fri, Dec 02, 2005 at 11:57:16PM +0100, Florent Guillaume wrote:
> Paul Winkler wrote:
> >Well, the thing is, the declaration that makes the method public
> >*has no effect* unless your class participates in acquisition.
> That's not true. The objects of this class will be perfectly accessible 
> to a restricted user:
>   from AccessControl import ClassSecurityInfo
>   class MyStuff(object):
>       security = ClassSecurityInfo()
>       security.declareObjectPublic()
>       security.setDefaultAccess('allow')
>       def foo(self):
>           return 'bar'
>   InitializeClass(MyStuff)
> Which also can be written more shorly an less invasively:
>   class MyStuff(object):
>       def foo(self):
>           return 'bar'
>   from AccessControl import allow_class
>   allow_class(MyStuff)

So it is. Thanks for the clarification.

What confused me is that the following *does* need
the inheritance from Acquisition:

from Acquisition import Implicit
class Foo3(Implicit):
    security = ClassSecurityInfo()
    def bar(self):
        return "hello from foo3"

In this case, if you remove the (Implicit), 
you get AccessDenied because "The container has no security assertions".

I mistakenly assumed that the same was necessary when using
allow_class.  Thanks for clearing that up.
> > Oh, and the instance needs to be given an acquisition context, too.
> > e.g.  foo = foo.__of__.some_parent
> It's only if you want to protect a method with a specific permission 
> that's not public or private that you'll have to provide acquisition 
> context so that Zope can find out what roles have this permission and 
> match them against the current user's roles:

Apparently you're right about this too :-)
I never knew that. Thanks.


Paul Winkler
Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to