On 26 Jul 2001 08:53:37 -0700, Michel Pelletier wrote:
"Michael R. Bernstein" wrote:
Hi everyone,
Ok, I'm developing a python Product and have gotten to the stage where I am adding security declarations. I understand the default policy (once you've added a ClassSecurityInfo instance to the class and called InitializeClass(yourClass) ) should be to deny access to methods that don't have any security declarations.
This doesn't seem to be the case. Even though I have *not* added security.setDefaultAccess("allow"), access to unprotected methods (both regular methods and HTMLFile methods) is being allowed rather than denied.
Protecting methods with a permission works as it should.
Can anyone help diagnose this?
Does your component derive from SimpleItem? If so, you are inadvertantly inheriting __allow_access_to_unprotected_subobjects__. Unfortunately, this means that almost all Zope objects inherit this, including yours, I presume.
The way around this is to either set the above class attribute (in *your* class) to zero, or protect everything with a permission.
I've tried this, and have not been able to get it to work. For whatever reason, the default security policy is *not* working WRT my code. an anonymous user has access to all unprotected methods and subobjects. I can provide my code for examination, if that will help. Michael Bernstein.