[Zope3-dev] Zope 3 security issues

[Steve Alexander]

Hi Jim,

I've been patching things up in the Zope 3 HEAD to get the ZMI working 
after Shane hooked up the new ZPT security system.

A few of issues have come up.

1: What should the ZopeSecurityPolicy do about primitive values?
    Particularly, ints, lists, Nones, string types.

    At present, I've hacked ZopeSecurityPolity to allow these as if
    protected by Zope.Public.


2: What should we do about supporting
    __allow_access_to_unprotected_subobjects__ ?

    At present, I've allowed access to attributes of such objects, and to
    methods of such objects, provided they are not already protected by
    a __permission__ declaration.


3: What should we do about supporting the PageTemplate idiom 
"request/response/setHeader" and similar?

    Currently, response is an attribute of an HTTPRequest.

    At present, I've punted, and advised Stephan to add an
    __allow_access_to_unprotected_subobjects__ to HTTPRequest and
    HTTPResponse on his branch.
    I don't think this is the best way of doing things.


Basically, I've been changing the absolute minimum to get the ZMI 
working now that security is hooked up. Once I know what things are 
supposed to be like, I can go back and do things properly.

--
Steve Alexander