[Zope-dev] Re: security problem in an monkey-patch

Joachim Schmitz js at aixtraware.de
Wed Sep 19 11:30:17 EDT 2007

Tres Seaver schrieb:
> Hash: SHA1

>> security.declareProtected(view_management_screens, 'getBypassQueue')
>> def getBypassQueue(self):
>>      "get _by_pass"
>>      if not hasattr(self,"_bypass"):
>>          self._bypass = False
>>      return self._bypass
> I would write this as:
>    return getattr(self, '_bypass', False)
> avoiding both write-on-read and hasattr in one fell swoop.
thanks for the tip.

>> <input type="checkbox" name="enable_bypass"
>> 	               tal:attributes="checked
>> 		       here/portal_catalog/getBypassQueue" />
>> I get:
>> Unauthorized: The container has no security assertions.  Access to 
>> 'getBypassQueue' of (QueueCatalog at /uniben/portal_catalog) denied.
>> What I am missing here.
> You need to supply security assertions for the new method you have adeed
> to the class (your security assertions are being "left behind" in the
> context where you defined the function)..  Likely you can add another
> attribute to the class, 'getBypassQueue__roles__', with the value being
> a tuple, ('Manager',)  (unless you want to figure out how to create a
> PermissionRoles object yourself).
I solved it with:

QueueCatalog.getBypassQueue__roles__ = ['Manager', 'Owner',]
thanks for the help.

Gruß Joachim

More information about the Zope-Dev mailing list