[Zope-dev] Ambiguities in "Inheritance and Class Security Declaration"

Ross Boylan RossBoylan@stanfordalumni.org
Fri, 19 Jul 2002 13:57:17 -0700


After reading this section of the development guide, I have a lot of
questions (pp 75-76 of the guide).

1. If a subclass redefines a base class method, does the subclass need
to do a security declaration on it?  The document says "You only need
to make security declarations for methods .... your class actually
defines.  If your class inherits from other classes, the methods of
the base classes are protected by the security declarations made in
the base classes."  The first sentence seems to indicate a security
declaration is necessary (since you define the method); the second
sentence suggests its not.  It depends partly on the meaning of
"define" and also "method" (that is, is redefinition considered
definition?  does method refer to a name or to a specific classes
implementation of that name?).

2. Does a subclass need to have
   security = ClassSecurityInfo()
in it if the base class does?  Judging from the example, yes.

3. Under what circumstances is the declaration in 2 necessary?  For
example, only if new method names are introduced and protected?  Or
any reference to security in the subclass?  It seems the latter, from
the example.

4. Suppose we wanted to change the security of a base class method
without otherwise redefining it.  What's necessary then?

5. Under what conditions is InitializeClass necessary for the subclass
when the base class has been through InitializeClass?  (The guide only
addresses the case when the base class has not been so processed.  It
also says the declarations "filter down", but the implication of this
for new method is unclear.)

This section has a lot of explicit discussion of odd cases (no
security in superclass, redefining permissions on existing methods
without changing them) and not enough about the normal cases (my
subclass extends some base class methods and defines some new ones).

Also, the second paragraph uses "superclass" where I hope it means
subclass. 

Although I would appreciate and responses from the list, I would also
like to send these comments to the documents authors.  Unfortunately,
I see no authorship or contact information in the document.  Can
anyone suggest some?

Thanks.