[Zope3-dev] Re: [z3-five] Suggested changes in Five/security.py

[Lennart Regebro]

Sidnei da Silva wrote:
> On Thu, Jan 13, 2005 at 07:19:46PM +0100, Lennart Regebro wrote:
> |     if permission is CheckerPublic or permission is None:
> |         return True
> 
> All looks good except the above. If permission is None it just means
> you couldnt find a utility registered by that permission. I would
> return False in that case.

You are correct.

The whole security thing is surprisingly confusing. Zope3, uses text 
strings for securities during configuration (I haven't dwelved deep 
enough to see if the text strings or the utilities are used in the rest 
of Zope3 but during the parsing and handling of zcml files it's text 
strings), however in one case ('zope.Public') is does NOT use the text 
string, but instead the CheckerPublic object.

Case in point: The handling of browser:page, which as "permission" gets 
a string, and if it is 'zope.Public' converts this to CheckerPublic and 
passes that on.

This means that in most cases of code you need to test on the unity of 
the CheckerPublic object (as well as None) before going on and fetching 
the actual Permission utility. Because there *is* a Permission utility 
for 'zope.Public' as well. And that utility is not CheckerPublic.

I find this a bit confusing. Does anybody know if there is a reason why 
we can't be consistent, and use either all strings, or all objects (on 
which case we would use CheckerPublic as the utility I guess)?

I don't need a thorough explanation, it's enough if somebody that knows 
sais that there is a bloody good reason. ;)

(In any case, I have checked in the new checkPermissions in Five now.)

-- 
Lennart Regebro, Nuxeo     http://www.nuxeo.com/
CPS Content Management     http://www.cps-project.org/