Chris Withers wrote:
Hi,
If I have the following lines in a Python Product:
def __init__(self, id): """initialise a new instance of product""" self.id = id self.title = 'Title!' self.anInt = 0 self.aString = 'testing'
Are these attributes protected by the security machinery? If so, how so?
Yes. There are two ways of protecting objects, depending on whether they (can) have a __roles__ attribute. None of the values above can have a __roles__ attribute, so they are covered by assertions made in their containers. See http://www.zope.org/Members/michel/Projects/Interfaces/ZopeSecurityPolicy Note that if you can't adequately control something that can't have __roles__, you can provide an access function (e.g. getAnInt), which you can control
Can I read them? I think the answer is yes for anInt and no for aString.
Probably, if you can get at one, you can get at the other.
Don't know the mechanics of title and id, I'm guessing they're going to be special cases whatever...
Nope, except that we may provide separate accessors (e.g. getId).
Are they protectable by permissions? I do hope so although my experience is that, at best, it's not necessary, which is contrary towhat I thought the new security policy was.
The goal of the new security policy was to: - Centralize authorization policies - Begin the tightening of access to attributes/sub-objects that can't have roles.
Should they have to be protected by permissions? Probably...
If you need the sort of control that permissions provide, you should consider providing accessors that can play with permissions. Jim -- Jim Fulton mailto:jim@digicool.com Python Powered! Technical Director (888) 344-4332 http://www.python.org Digital Creations http://www.digicool.com http://www.zope.org Under US Code Title 47, Sec.227(b)(1)(C), Sec.227(a)(2)(B) This email address may not be added to any commercial mail list with out my permission. Violation of my privacy with advertising or SPAM will result in a suit for a MINIMUM of $500 damages/incident, $1500 for repeats.