[Zope3-dev] Re: [z3-five] Suggested changes in Five/security.py
Lennart Regebro
regebro at nuxeo.com
Fri Jan 14 10:10:00 EST 2005
Sidnei da Silva wrote:
> On Thu, Jan 13, 2005 at 07:19:46PM +0100, Lennart Regebro wrote:
> | if permission is CheckerPublic or permission is None:
> | return True
>
> All looks good except the above. If permission is None it just means
> you couldnt find a utility registered by that permission. I would
> return False in that case.
You are correct.
The whole security thing is surprisingly confusing. Zope3, uses text
strings for securities during configuration (I haven't dwelved deep
enough to see if the text strings or the utilities are used in the rest
of Zope3 but during the parsing and handling of zcml files it's text
strings), however in one case ('zope.Public') is does NOT use the text
string, but instead the CheckerPublic object.
Case in point: The handling of browser:page, which as "permission" gets
a string, and if it is 'zope.Public' converts this to CheckerPublic and
passes that on.
This means that in most cases of code you need to test on the unity of
the CheckerPublic object (as well as None) before going on and fetching
the actual Permission utility. Because there *is* a Permission utility
for 'zope.Public' as well. And that utility is not CheckerPublic.
I find this a bit confusing. Does anybody know if there is a reason why
we can't be consistent, and use either all strings, or all objects (on
which case we would use CheckerPublic as the utility I guess)?
I don't need a thorough explanation, it's enough if somebody that knows
sais that there is a bloody good reason. ;)
(In any case, I have checked in the new checkPermissions in Five now.)
--
Lennart Regebro, Nuxeo http://www.nuxeo.com/
CPS Content Management http://www.cps-project.org/
More information about the Zope3-dev
mailing list