[Zope-Perl] security
Chris McDonough
chrism@digicool.com
Wed, 24 Jan 2001 16:40:19 -0500
Thanks for the clarification... As a result, I was able to make this work
by changing AccessControl.SimpleObjectPolicies.. e.g.:
__doc__='''Collect rules for access to objects that don\'t have roles.
$Id: SimpleObjectPolicies.py,v 1.6 2001/01/10 20:21:03 chrism Exp $'''
__version__='$Revision: 1.6 $'[11:-2]
_noroles=[] # this is imported from various places
import Record
try:
import perl
perlhash = perl.get_ref("%")
perlarry = perl.get_ref("@")
except:
perlhash = {}
perarry = []
# Allow access to unprotected attributes
Record.Record.__allow_access_to_unprotected_subobjects__=1
ContainerAssertions={
type(()): 1,
type([]): 1,
type({}): 1,
type(perlhash): 1,
type(perlarry): 1
}
... although I don't think we want to solve it this way (unless we do :-).
I think it would serve the same purpose for perlref instances to always have
a __roles__ class attribute set to None and an
__allow_access_to_unprotected_subobjects__ class attr set to 1 (although I
don't know if this offends your sensibility :-)
----- Original Message -----
From: "Gisle Aas" <gisle@ActiveState.com>
To: "Chris McDonough" <chrism@digicool.com>
Cc: <zope-perl@zope.org>
Sent: Wednesday, January 24, 2001 3:59 PM
Subject: Re: [Zope-Perl] security
> "Chris McDonough" <chrism@digicool.com> writes:
>
> > > > .. but I can't setattr on the perlref instance, so this doesn't
work.
> > >
> > > The issue should be the same if you return a plain Python dict object,
> > > or am I missing something.
> >
> > I believe the security machinery currently gathers __roles__ from things
> > that are of Python type InstanceType (of which perlref is one).
>
> This should not be the case. Perl ref objects are a separate type
> called 'perl ref':
>
> $ python
> Python 1.5.2 (#2, Sep 29 2000, 15:50:24) [GCC egcs-2.91.66
19990314/Linux (egcs- on linux2
> Copyright 1991-1995 Stichting Mathematisch Centrum, Amsterdam
> >>> import perl
> >>> type(perl.get_ref("%"))
> <type 'perl ref'>
> >>> type(perl.eval("\%INC"))
> <type 'perl ref'>
> >>> type(perl.eval("Python::dict(%INC)"))
> <type 'dictionary'>
>
> Inside ZopeSecurityPolicy's validate I find:
>
> if p is not None:
> tp=type(p)
> if tp is not IntType:
> if tp is DictType:
> p=p.get(name, None)
> else:
> p=p(name, value)
>
> so it seems to special case dicts?
>
> --Gisle
>