[Zope] Zope product security question

Chris Withers chrisw@nipltd.com
Thu, 13 Mar 2003 12:56:05 +0000

Michael R. Schwab wrote:
> The issue that I'm facing seems to be Zope's security model.  The ZDG's 
> security guide has even specified that object properties that are basic 
> Python types cannot have their permissions set via the usual 
> security.declarePublic() call (this includes 'id', 'meta_type', 
> 'title'). 

This is true.

Yoru options are:

1. setDefaultAccess('deny') and then provide setter and accessor methdos for the 
attributes in question.

2. I believe setDefaultAccess can be passed a list or function that determines 
whether an attribute is accessible. You'd have to do some research on this.

> I don't want to specify security.setDefaultAccess( 'allow' ) as this 
> would allow access to mutable types within my product from scripts and 
> defeats the purpose of setting a strict default security policy.

Be careful. OFS.SimpleItem.SimpleItem does this anyway, so you'll have to ensure 
you specifically set the policy in your product.