[Zope-CMF] New CMF tool has bogus __roles__

Dieter Maurer dieter@handshake.de
Fri, 1 Feb 2002 20:44:36 +0100


Dan L. Pierson writes:
 > I'm working on a new CMF tool to be released at Python 10.  When I tried
 > to test a the versions broken out of our running site today, I discovered
 > that all DTML, etc. access to the tool fails authorization because the
 > tool has __roles__ = ().
 > ...
 > class PostingsTool(UniqueObject, Folder):
 >     """
 >         Maintain Squishdot style postings in a Postgresql database.
 > 
 >         Since there is no database connection passed at tool creation, the
 >         first manual action with the tool must be to set a database 
 > connection
 >         via the SQL tab.  All other tabs and methods are likely to fail or 
 > be
 >         useless until that is done.
 >     """
 >     id = 'postings_tool'
 >     meta_type = 'SqSQL Postings Tool'
 > 
 >     security = ClassSecurityInfo()

Maybe, the new "deny unless allowed" policy introduced by the "security
jihad"...

There is a proposal (now maybe named "Security Cleanup") that describes
the effect of this change.

A search on the mailing list archives (zope-dev) may also show you
the intense battle in connection with this change.

Add a "security.declareObjectProtected(<your permission>)"
to define the roles.


Dieter