[Zope] Zope product security question
Thu, 13 Mar 2003 12:56:05 +0000
Michael R. Schwab wrote:
> The issue that I'm facing seems to be Zope's security model. The ZDG's
> security guide has even specified that object properties that are basic
> Python types cannot have their permissions set via the usual
> security.declarePublic() call (this includes 'id', 'meta_type',
This is true.
Yoru options are:
1. setDefaultAccess('deny') and then provide setter and accessor methdos for the
attributes in question.
2. I believe setDefaultAccess can be passed a list or function that determines
whether an attribute is accessible. You'd have to do some research on this.
> I don't want to specify security.setDefaultAccess( 'allow' ) as this
> would allow access to mutable types within my product from scripts and
> defeats the purpose of setting a strict default security policy.
Be careful. OFS.SimpleItem.SimpleItem does this anyway, so you'll have to ensure
you specifically set the policy in your product.