[Zope] Object permissions in External Methods with XML
Chris McDonough
chrism@zope.com
Tue, 9 Jul 2002 16:00:33 -0400
Your Python code indentation did not make it successfully through
email so I can only guess what the code really means. But here's a
more verbose description of a solution with an entirely separate set
of domain objects.
Say you have an object that you want to return that cannot be
protected with security declarations (perhaps attributes cant be set
on it because it's an instance of a C-defined type that doesn't have
a setattr), call this "foo". Say that it has methods "getOne" and
"getTwo" that you want to use in TTW code. Say that getOne and
getTwo don't return "complex" objects (instances), but normal Python
objects like strings (which dont need their own security
declarations):
You would define a wrapper class in your external method like so:
class FooWrapper:
security = ClassSecurityInfo()
security.declareObjectPublic()
def __init__(self, real_foo):
self.real_foo = real_foo
security.declarePublic('getOne')
def getOne(self):
return self.real_foo.getOne()
security.declarePublic('getTwo')
def getTwo(self):
return self.real_foo.getTwo()
Globals.Initialize(FooWrapper)
And an external method to make use of the wrapper would look
something like:
def getAFoo(self, name):
import foo
inst = foo.foo(name)
return FooWrapper(inst)
As long as getOne and getTwo return "basic" python types this
wrapper will work. If the methods return instances, classes, or
anything that is not a string, list, dict, or tuple, you will not be
able to do anything with the return values due to the security
machinery. There are ways around this (namely, setting an attribute
on a returned instance called
"__allow_access_to_unprotected_subobjects__"), but if you're going
to go this far it'd probably be better to use an external method.
- c
----- Original Message -----
From: "J. Joy" <kyroraz@yahoo.com>
To: "Chris McDonough" <chrism@zope.com>; <zope@zope.org>
Sent: Tuesday, July 09, 2002 3:40 PM
Subject: Re: [Zope] Object permissions in External Methods with XML
> Okay... I've given this a few tries, but I can't quite seem to
nail it down.
> I can get to the initial object, but anything deeper and I run
into more access restrictions. It
> seems to be copying a reference rather than the material, so I
might have to find a way to
> explicitly copy the data from the one object to the other as
equals doesn't seem to be the way to
> do it.
>
> This is what I have thus far:
>
> ---
>
> import gnosis.xml.objectify as xp
> from AccessControl import ClassSecurityInfo
> from Acquisition import Implicit
> import Globals
>
>
> class Container(Implicit):
> security = ClassSecurityInfo()
> security.declareObjectPublic()
> security.setDefaultAccess('allow')
> security.declarePublic('xml_to_py')
>
> def xml_to_py(self):
>
> object = xp.XML_Objectify('/tmp/sample.xml')
> returning = object._PyObject
>
> ## Here is one idea I had, put it into a object
like info and then return it,
> didn't work so well...
> info = []
> transport = Container()
> info.append(returning)
>
> return (returning)
>
> def xml_to_py(self):
>
> Globals.InitializeClass(Container)
>
> xml_transport = Container()
> print dir(xml_transport.xml_to_py())
> print dir(xml_transport.xml_to_py().UserRequest)
> return (xml_transport.xml_to_py().UserRequest)
>
>
> Globals.InitializeClass(Container)
>
> ---
>
> I've gone though the security documents, but I don't seem to be
able to find anything special
> about unsecuring such a issue specific to this case.
>
> --- Chris McDonough <chrism@zope.com> wrote:
> > You need to make security declarations on the *returned object*
> > (which in this case is "object._PyObject". I dont have any idea
> > what this is but what you probably want to do is return an
instance
> > of a class which has security declarations that *wraps* this
> > object's methods.
>
>
> __________________________________________________
> Do You Yahoo!?
> Sign up for SBC Yahoo! Dial - First Month Free
> http://sbc.yahoo.com
>