[Zope-dev] strange priv leak

Dieter Maurer dieter@handshake.de
Tue, 20 May 2003 19:50:40 +0200

Shane Hathaway wrote at 2003-5-19 15:54 -0400:
 > ...
 > We can't, unless we overhaul the security policy.  Declarations for 
 > built-in types get ignored.  This is because the security policy depends 
 > on being able to find a __roles__ attribute on the thing accessed. 
 > Instances of built-in types do not allow extra attributes (nor should 
 > they.)  So, for example, declarePrivate('some_string_attribute') has no 
 > effect, nor did it ever have any effect.

I do not think so (at least when I understand the code correctly).

  When the object does not have a "__roles__" attribute,
  its container is checked.

  Place the security declaration there (e.g. coded in the
  form "<attribute>__roles__") for objects that can not
  carry it themselves.