[Zope-dev] RFClarification: Security on Product Attributes
Jim Fulton
jim@digicool.com
Thu, 05 Oct 2000 15:58:58 -0400
"Phillip J. Eby" wrote:
>
> At 12:27 PM 10/4/00 -0400, Brian Lloyd wrote:
> >
> >I've verified (any of my previous comments to the contrary) that
> >simple attributes (python types) do not really play in the
> >permissions machinery. The canonical way to expose such things
> >for now is to expose them through method calls (which can play
> >in the permissions scheme).
> >
>
> IIRC, this stuff got broken by the switch to the new security machinery.
> ZopeSecurityPolicy doesn't check 'foo__roles__' on the parent object the
> way ZPublisher does/did.
It never did. Before the switch to the new policy machinery,
most attributes that don't have roles were unprotected.
Now, we at least have a way to make some assertions.
Jim
--
Jim Fulton mailto:jim@digicool.com Python Powered!
Technical Director (888) 344-4332 http://www.python.org
Digital Creations http://www.digicool.com http://www.zope.org
Under US Code Title 47, Sec.227(b)(1)(C), Sec.227(a)(2)(B) This email
address may not be added to any commercial mail list with out my
permission. Violation of my privacy with advertising or SPAM will
result in a suit for a MINIMUM of $500 damages/incident, $1500 for
repeats.