[Zope-Perl] security

Chris McDonough chrism@digicool.com
Wed, 24 Jan 2001 16:40:19 -0500 

Thanks for the clarification...  As a result, I was able to make this work
by changing AccessControl.SimpleObjectPolicies.. e.g.:

__doc__='''Collect rules for access to objects that don\'t have roles.

$Id: SimpleObjectPolicies.py,v 1.6 2001/01/10 20:21:03 chrism Exp $'''
__version__='$Revision: 1.6 $'[11:-2]

_noroles=[] # this is imported from various places

import Record
try:
    import perl
    perlhash = perl.get_ref("%")
    perlarry = perl.get_ref("@")
except:
    perlhash = {}
    perarry = []
# Allow access to unprotected attributes
Record.Record.__allow_access_to_unprotected_subobjects__=1

ContainerAssertions={
    type(()): 1,
    type([]): 1,
    type({}): 1,
    type(perlhash): 1,
    type(perlarry): 1
    }

... although I don't think we want to solve it this way (unless we do :-).

I think it would serve the same purpose for perlref instances to always have
a __roles__ class attribute set to None and an
__allow_access_to_unprotected_subobjects__ class attr set to 1 (although I
don't know if this offends your sensibility :-)

----- Original Message -----
From: "Gisle Aas" <gisle@ActiveState.com>
To: "Chris McDonough" <chrism@digicool.com>
Cc: <zope-perl@zope.org>
Sent: Wednesday, January 24, 2001 3:59 PM
Subject: Re: [Zope-Perl] security


> "Chris McDonough" <chrism@digicool.com> writes:
>
> > > > .. but I can't setattr on the perlref instance, so this doesn't
work.
> > >
> > > The issue should be the same if you return a plain Python dict object,
> > > or am I missing something.
> >
> > I believe the security machinery currently gathers __roles__ from things
> > that are of Python type InstanceType (of which perlref is one).
>
> This should not be the case.  Perl ref objects are a separate type
> called 'perl ref':
>
>   $ python
>   Python 1.5.2 (#2, Sep 29 2000, 15:50:24)  [GCC egcs-2.91.66
19990314/Linux (egcs- on linux2
>   Copyright 1991-1995 Stichting Mathematisch Centrum, Amsterdam
>   >>> import perl
>   >>> type(perl.get_ref("%"))
>   <type 'perl ref'>
>   >>> type(perl.eval("\%INC"))
>   <type 'perl ref'>
>   >>> type(perl.eval("Python::dict(%INC)"))
>   <type 'dictionary'>
>
> Inside ZopeSecurityPolicy's validate I find:
>
>             if p is not None:
>                 tp=type(p)
>                 if tp is not IntType:
>                     if tp is DictType:
>                         p=p.get(name, None)
>                     else:
>                         p=p(name, value)
>
> so it seems to special case dicts?
>
> --Gisle
>