[Zope-dev] hotfix and security declaration

Steve Alexander steve@cat-box.net
Mon, 05 Aug 2002 23:02:39 +0100


Yuppie wrote:
> Hi!
> 
> Writing a hotfix for my product

Are you sure?

Are you writing an urgent ad-hoc security update that is important and 
can't wait until the next official release of your product?

If not, you're writing a "dynamic patch" or "monkey patch", not a hotfix.


> I have same questions about security 
> declarations. The ZDG doesn't cover this.
> 
> 1.) adding a new Method:
> Is the following code safe? Or is there a better way to do that?
> 
> <code>
> from Globals import InitializeClass
> from AccessControl import ClassSecurityInfo
> from Products.oldProduct import oldClass
> 
> def newMethod(self):
>    pass
> 
> oldClass.security = ClassSecurityInfo()
> oldClass.security.declareProtected( 'View', 'newMethod' )
> oldClass.newMethod = newMethod
> 
> InitializeClass(oldClass)
> </code>

I think this might wipe out the old security assertions, but I'm not sure.


> 2.) override security declaration:
> 
> <code>
> oldClass.security.declareProtected( 'View', 'oldMethod' )
> InitializeClass(oldClass)
> </code>
> 
> This code raises a conflict warning and doesn't change the setting.
> The ZDG says: "it is not legal to declare two conflicting permissions on 
> a method".
> Why is it illegal? Why will it only accept the first declaration and not 
> override it? Is there an other solution?

I'm surprised that this works, as I would have expected oldClass to have 
been initialized already. As far as I can remember, initializing a class 
causes any attributes that are of type ClassSecurityInfo to be 
processed, then removed from the class.

Do you really need to dynamicaly patch to do this?
Perhaps instead you can subclass the original class, and then overwrite 
the name of the original class in its module with your new class.

--
Steve Alexander