[Zope3-dev] Security Proxies
Roché Compaan
roche at upfrontsystems.co.za
Tue Dec 23 16:09:16 EST 2003
* Jim Fulton <jim at zope.com> [2003-12-23 22:54]:
> Roché Compaan wrote:
> >I am busy moving a rather big app to Zope3 and my battle with security
> >proxies is becoming a bit of show stopper. "setattr" on security proxies
> >don't remove proxies around "value" which causes the ZODB to complain
> >"Cannot pickle <type 'zope.security._proxy._Proxy'> objects". This
> >occurs at a point when the security.checker's check_setattr has already
> >passed without exceptions.
>
> Note that the setattr security check has nothing to do with the value.
> The value of the attribute isn't taken into account.
>
> >It is easily reproducable as well - just declare an interface with an
> >"Object" schema field, with add- and editform and implement it.
>
> Right. It have to remove proxies before saving a value.
>
> >Now it doesn't seem right that schema fields should remove proxies
> >before calling setattr since a security check is done during "setattr".
>
> No, It's fine to do that since the security check doesn't depend
> on the value.
Should all application code calling setattr then always remove proxies?
Wouldn't it be easier if the proxy takes care of it ie. who's
responsibility is it the proxy's or the code calling setattr?
> >Hence my conclusion that this looks like a bug. If it is and I am not
> >missing something obvious I'll file it in the collector.
>
> What is a bug? I'm can't tell what "this" is.
That the proxy's setattr doesn't remove the value's proxy before
persisting it.
--
Roché Compaan
Upfront Systems http://www.upfrontsystems.co.za
More information about the Zope3-dev
mailing list