[Zope-dev] security.declareProtected doesn't always work?

Dieter Maurer dieter@handshake.de
Wed, 2 Jan 2002 21:43:20 +0100


Martijn Faassen writes:
 > I have some issues with using declareProtected() outside product
 > classes (deriving from ObjectManager or SimpleItem). An external method
 > example that _does_ work, taken from the ZDG:
 > 
 > import Globals
 > import Acquisition
 > from AccessControl import ClassSecurityInfo
 > 
 > class Book(Acquisition.Implicit):
 >   def __init__(self, title):
 >     self._title=title
 >     
 >   # Create a SecurityInfo for this class
 >   security = ClassSecurityInfo()
 >   security.declareObjectPublic()
 >   
 >   security.declarePublic('getTitle')
 >   def getTitle(self):
 >     return self._title
 >   
 > Globals.InitializeClass(Book)
 >     
 > # The actual external method
 > def GetBooks(self):
 >   books=[]
 >   books.append(Book('King Lear'))
 >   books.append(Book('Romeo and Juliet'))
 >   books.append(Book('The Tempest'))
 >   return books
 > 
 > Now replace the line "security.declarePublic('getTitle')" with something like
 > "security.declareProtected('View', 'getTitle')", and suddenly nobody is
 > allowed to call getTitle() on a Book object anymore.
You must acquistion wrap your book objects. Otherwise, Zope's
security code is unable to find the permission-role mapping.

Try:

	return books.__of__(self)


Dieter