[Zope-dev] Request For Comments: SecurityJihad

Michael R. Bernstein webmaven@lvcm.com
17 Aug 2001 17:59:35 -0700


On 17 Aug 2001 19:34:24 +0200, Dieter Maurer wrote:
>
> Michael R. Bernstein writes:
>
>  > >   *  never saw any special handling for "manage_*" methods.
>  > 
>  > You mean that you've never seen it demonstrated? I think you said that
>  > you always add explicit security directives anyway. The special handling
>  > of 'manage_' methods only shows up if the method does not have an
>  > explicit security statement.
>
> No, I do not mean that.
> 
>    I looked intensively at ZPublishers code and there, I could not
>    see any special handling of "manage_" methods.

Ah. I apologize for this inaccuracy in my first version of the proposal.
Apparently that behaviour is due to the class loader, not ZPublisher.
Jim Fulton informed me of this (in his comments on the proposal page),
and the proposal was corrected in that regard a several days ago.

>  > ....
>  > Only the docstring and 'manage_' behaviours are intended to be switched
>  > off by default through the use of the new declarative security.
>
> As I think, the "manage_" behaviour is not really there,
> what remains is the docstring.
> 
> The docstring behaviour has two aspects:
> 
>   *  when an object did not have a docstring, ZPublisher
>      would not publish it, independent of any other
>      security assertion (that's the way, I always saw the rule).
> 
>      Thus, if someone wanted an object to be usable from
>      DTML (or other TTW contexts), but did not want it
>      to be published via the Web, he could do so by
>      not providing a docstring.
> 
>      Your proposal may want to provide another,
>      clearer and more explicite method for the
>      (understandable) wish.

That is an interesting suggestion. However, this seems as though it
would be an extension of the functionality of the Declarative Security
framework itself, not merely a clarification of it's use within Zope, so
it should probably get it's own proposal.

>  > For those products that currently rely on the docstring and 'manage_'
>  > behaviours *and* use declarative security, a way of turning those
>  > behaviours back on will be provided, eg:
>  > 
>  > - security.docstringsMakePublishable("yes") 
>  > 
>  > - security.manageMethodNamesAreSpecial("yes")
>
> I understood that and do not like it:
> 
>   When I say "__allow_access...=1" then the current
>   docstring behaviour should remain.
> 
>   When I say "__allow_access...=0" or nothing at all,
>   then it should go.

But that would remove from developers the possibility of changing the
policy to 'allow if not denied' for their class without re-activating
the docstring and 'manage_' behaviour, wouldn't it?

If a developer wants to explicitly change the policy for their objects
to 'allow unless denied' then they should be able to do so without
dragging in side effects, IMO.


Michael Bernstein.