[Zope-CMF] Security behavior question

Tres Seaver tseaver@zope.com
Mon, 17 Dec 2001 13:48:42 -0500


Doyon, Jean-Francois wrote:

> Tres,
> 
> Thanks for the quick reply!
> 
> The behavior you describe is what I was expecting.
> 
> Actually I have a customized "document_view" that behaves normally.  It
> seems the problem occurs only with my DTML method (Part of a skin) that I
> created from scratch (instead of using a default one and clicking
> "customize") ...
> 
> It should be noted that the object I'm "viewing" is actually a custom one I
> created and added to the list of CMFDefault object types.  Could the problem
> come from that? I'm pretty sure all my security declarations are correct,
> I'll revisit them, but it's a real basic object with only one property.
> 
> As for your questions, nope I didn't change anything as far as security
> settings, at least not for the "anonymous" role ... (Well I removed the
> ability to join the portal, but that's it).  My method has the exact same
> security properties set on it than the customized document_view , and
> neither have any Proxy roles defined.
> 
> As for the caching, I just tested that and nope ... the third way of doing
> it still gets me in ...
> 
> Hmmm ... And "document_view" and "map_interactive" (My DTML Method) both
> live in the "custom" skin folder, which means that permission inheritance is
> also the same ...
> 
> Ha ha ... I like to work from examples, and I'm noticing the the Document's
> CookedBody has a delcareProtected set on it ... Which makes sense, but I
> don't have that kind of declaration on my object, since there's no method in
> my class ... My object simply sets a property use by the skin. How would I
> go about declaring a security conditionon accessing a proerty instead of a
> method (or function, whatever the python parlance is :)?
> 
> I guess I would have to add a new permission setting and instead of doing a
> declareObjectPublic I would use a declareObjectProtected(<permission name>)
> ?

Yes, that seems like the problem.  The skin methods themselves
aren't protected (can't be, given the skins architecture);  they
rely on the underlying objects' protections.  If you change just
the one line in your class from 'security.declareObjectPublic()' to
'security.declareObjectProtected( "View" )', your issue should
vanish (actually, you could probably just delete the line, as
PortalContent already says that).

Tres.
-- 
===============================================================
Tres Seaver                                tseaver@zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com