[Zope-dev] Re: Bad interaction between Zope 2.7.3 and CMF 1.4

Stefan H. Holek stefan at epy.co.at
Sat Oct 9 13:46:12 EDT 2004


On 09.10.2004, at 18:04, Tres Seaver wrote:
>
> *By definition*, anybody who has declared 'setDefaultAccess('deny') 
> *wants* the behavior you describe:  that declaration says, "unless I 
> give you explicit permission for using a name, refuse."
>
> If Plone has classes which make such assertions, then either the 
> authors *meant* them, or they need to be removed.  This is (literally) 
> the same thing as declaring 
> '__allow_access_to_unprotected_subobjects__ = 0' in your class.
>

Plone itself doesn't AFAICS. Third party applications may, like the one 
I was talking about. The unfortunate coincidence is that these apps 
work fine with Zope up to 2.7.2.

I am of the impression that using aq_acquire in guarded_getattr does 
the right thing (by accident?). I certainly lack the Fu though.

> Your test doesn't really belong in CMF, as you are arguing that the 
> current implemtation in Zope is broken.
>
> Please *don't* check such a test in on the HEAD (or branch head) until 
> after this discussion is resolved.
>

Right, but I couldn't make it break anyplace else. Sorry. Feel free to 
remove it.

> Thank you for making the case reproducible;  Richard Jones had 
> reported this issue earlier, but couldn't cut it down to a simple 
> case.  I will work on adding tests to AccessControl which make the 
> intent clear (we can still argue about whether to keep the change).

Thank you!

Stefan


--
The time has come to start talking about whether the emperor is as well
dressed as we are supposed to think he is.               /Pete McBreen/



More information about the Zope-Dev mailing list