[Zope] Re: DiskBased products and security

Haim Ashkenazi haim at babysnakes.org
Mon Jun 13 14:07:56 EDT 2005


On Mon, 13 Jun 2005 19:13:14 +0200, Dieter Maurer wrote:

> Haim Ashkenazi wrote at 2005-6-13 15:43 +0300:
>> ...
>>1. __roles__ = () - I didn't understand exactly why but with this
>>statement I can't access the product either from the ZMI or directly from
>>the web.
> 
> This is a (deprecated) alternative for "security.declareObjectPrivate()".
> 
>>2. security.setDefaultAccess("deny") - I think I understand why we changed
>>that, but it's causing a lot of problems. If I add 'delareProtected' for
>>all my methods, I can access certain pages , but with some pages (maybe
>>ones that's calling methods form base classes or acquisition like
>>'title_or_id') I still get errors ("Unauthorized: You are not allowed to
>>access 'title_or_id' in this context"). trying to solve this I started
>>adding 'declareProtected' for every method I got error for. I gave up
>>after 3 methods, but it seem to help.
> 
> Yes, many methods of "OFS.SimpleItem.SimpleItem" and its base
> classes rely on its "setDefaultAccess('allow')".
> 
> If you change this to "deny", you have to provide the
> explicit security declarations.
> 
>>so, I was wondering if something was changed in the security model since
>>2.5 (the version that the book is about) until 2.7, and is there a place
>>where it's documented (the zope developer guide is versioned 2.4)?
> 
> "setDefaultAccess('deny')" had a bug in some earlier Zope versions.
> With the exception of this fix, nothing changed here for a long
> time. You can still use the Zope Developper Guide...
> 
>>also, If I'll make sure that every method I have in my module is also
>>declared as protected, or public, is there a problem with living the
>>default access as any?
> 
> As what?
sorry, I was unclear there :)

what I meant is if I won't leave any method undeclaired (security wise) in
my class, will it be a security risc to leave the default access
(setDefaultAccess('any'))? can I protect uncallable objects (like
variables) the same way?

> 
> The "default access" also controls access to attributes of simple type
> (strings, tuples, dicts, ...) which cannot have their own security
> declarations.
> 
> If you do not access such attributes directly and you provide security
> declarations for all methods you use, then you can keep "defaultAccess
> == 'deny'".
thanx a lot for a very informative answer.

Bye
-- 
Haim




More information about the Zope mailing list