[Zope] Zope product security question

Michael R. Schwab Michael.Schwab-mail.zope.org@icantbelieveididthat.com
Tue, 11 Mar 2003 10:49:10 -0600


Paul Winkler wrote:
> On Mon, Mar 10, 2003 at 03:33:18PM -0600, Michael R. Schwab wrote:

(snip)

>>The second method seems to be the newest and most logical approach.
>>The being exception that the default security access to 'deny' does
>>not permit me to access attributes from my class that are basic Python
>>types such as strings (e.g. meta_type from a DTML Method).  I could
>>declare the default security access to 'allow', but that seems
>>inherently dangerous from a security standpoint.
> 
> I think what you're looking for is
> __allow_access_to_unprotected_subobjects__ = 1

Having dug a little further into the bowels of Zope, I don't believe 
that this will work, even if I had wanted to use it.

Setting __allow_access_to_unprotected_subobjects__ to 1 would be 
overridden by Globals.InitializeClass.

In Globals.InitializeClass, there is a check to determine what the 
default access policy is set to ('allow' or 'deny' via the 
security.setDefaultAccess() call).  If the default access has been set, 
__allow_access_to_unprotected_subobjects__ is assigned the value of 
default access ('deny' == 0 and 'allow' == 1).

Am I off the mark here?

> or, just make declarations on specific attributes:
> 
> security.declarePublic('meta_type')
> self.meta_type = "blah"

Thanks,
Michael