[Zope3-dev] Attributes in content components
Jim Fulton
jim@zope.com
Sat, 23 Mar 2002 06:50:17 -0500
Steve Alexander wrote:
>
> Hi folks,
>
> I like the idea of using both attributes and methods in content
> components, as used in the Job Board application.
Me too.
> I'm trying to work out how this would tie in with security. Would the
> attributes need to be considered like properties, and optionally have
> different permissions for reading the attribute, and writing the attribute?
Yes. The right way to do this, IMO, is to check for descriptors.
IOW, you could use Python properties (and other similar descriptors)
to make security assertions to allow attribute syntax for both reading
and writing.
> In some sense, I feel that the attributes of a content component that
> are part of its public interface are more like properties.
Yes.
> They can be
> implemented using Python properties, and the simple attribute can be
> thought of as a special case of a very simple property.
What are simnple attributes? We won't be able to allow access
from untrusted code unless we actually define Python properties.
> I guess that permissions can be attached to attributes by having the
> same mechanism that adds a __permission__ to methods handle attributes
> by replacing the attribute by a descriptor that acts like a property,
> but also has slots for read and write __permission__.
Right. It will set permissions on the descriptor __get__ and __set__
methods.
This will require an API to get descriptors without calling them.
Guido implemented this in lib/python/Zope/Misc/GetDescr.py. We'll also
need to modify the security machinery to check for descriptors when checking
named accesses. This might require a significant effort, since we don't
always know we need to check security when named accesses are made. :(
Jim
--
Jim Fulton mailto:jim@zope.com Python Powered!
CTO (888) 344-4332 http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org