[Zope-dev] Security Wierdness
Michael R. Bernstein
webmaven@lvcm.com
26 Jul 2001 09:34:57 -0700
On 26 Jul 2001 08:53:37 -0700, Michel Pelletier wrote:
> "Michael R. Bernstein" wrote:
> >
> > This doesn't seem to be the case. Even though I have *not* added
> > security.setDefaultAccess("allow"), access to unprotected methods (both
> > regular methods and HTMLFile methods) is being allowed rather than
> > denied.
> >
> > Protecting methods with a permission works as it should.
> >
> > Can anyone help diagnose this?
>
> Does your component derive from SimpleItem? If so, you are
> inadvertantly inheriting __allow_access_to_unprotected_subobjects__.
> Unfortunately, this means that almost all Zope objects inherit this,
> including yours, I presume.
>
> The way around this is to either set the above class attribute (in
> *your* class) to zero, or protect everything with a permission.
Ok, thanks. this seems counter to the thrust of the security chapter in
the developers guide, where it pretty much unequivocally states that
unless your class has 'security.setDefaultAccess("allow")', it will
follow the default policy, which is to deny the access.
Is the dev-guide intended to reflect an ideal that Zope hasn't achieved
yet? Will future versions of Zope reverse this behaviour of SimpleItem?
Thanks,
Michael Bernstein.