[Zope3-dev] Zope 3 security issues
Steve Alexander
steve@cat-box.net
Fri, 01 Mar 2002 16:55:59 +0000
Hi Jim,
I've been patching things up in the Zope 3 HEAD to get the ZMI working
after Shane hooked up the new ZPT security system.
A few of issues have come up.
1: What should the ZopeSecurityPolicy do about primitive values?
Particularly, ints, lists, Nones, string types.
At present, I've hacked ZopeSecurityPolity to allow these as if
protected by Zope.Public.
2: What should we do about supporting
__allow_access_to_unprotected_subobjects__ ?
At present, I've allowed access to attributes of such objects, and to
methods of such objects, provided they are not already protected by
a __permission__ declaration.
3: What should we do about supporting the PageTemplate idiom
"request/response/setHeader" and similar?
Currently, response is an attribute of an HTTPRequest.
At present, I've punted, and advised Stephan to add an
__allow_access_to_unprotected_subobjects__ to HTTPRequest and
HTTPResponse on his branch.
I don't think this is the best way of doing things.
Basically, I've been changing the absolute minimum to get the ZMI
working now that security is hooked up. Once I know what things are
supposed to be like, I can go back and do things properly.
--
Steve Alexander