[Zope-dev] Security Wierdness
Michel Pelletier
michel@digicool.com
Thu, 26 Jul 2001 08:53:37 -0700
"Michael R. Bernstein" wrote:
>
> Hi everyone,
>
> Ok, I'm developing a python Product and have gotten to the stage where I
> am adding security declarations. I understand the default policy (once
> you've added a ClassSecurityInfo instance to the class and called
> InitializeClass(yourClass) ) should be to deny access to methods that
> don't have any security declarations.
>
> This doesn't seem to be the case. Even though I have *not* added
> security.setDefaultAccess("allow"), access to unprotected methods (both
> regular methods and HTMLFile methods) is being allowed rather than
> denied.
>
> Protecting methods with a permission works as it should.
>
> Can anyone help diagnose this?
Does your component derive from SimpleItem? If so, you are
inadvertantly inheriting __allow_access_to_unprotected_subobjects__.
Unfortunately, this means that almost all Zope objects inherit this,
including yours, I presume.
The way around this is to either set the above class attribute (in
*your* class) to zero, or protect everything with a permission.
-Michel