Jamie Heilman wrote:
Lately I've been noticing that http://host/zopeobject/manage_options is accessible TTW with no priveleges. Unless I'm on crack, wasn't always like this. I've been trying to figure out what changed and the only thing I can discern is is that may be related to using python 2.2. I've seen it happen with 2.6.1 & python 2.2, and I've seen it happen with HEAD & python 2.2, but never 2.6.1 & python 2.1.3. Can anyone else corroborate this? Even better does anyone else know how to fix it? I'm wondering if there's more hanging out in the open than just some attributes here and there.
You've uncovered an important difference between Python 2.1 and Python 2.2. Built-in objects now have docstrings. That means Zope running on Python 2.2 currently reveals a lot more TTW than Python 2.1 did. It's a good thing we haven't make Python 2.2 support official yet. (Python 2.1.3)
().__doc__ Traceback (most recent call last): File "<stdin>", line 1, in ? AttributeError: 'tuple' object has no attribute '__doc__'
(Python 2.2.2)
().__doc__ "tuple() -> an empty tuple\ntuple(sequence) -> tuple initialized from sequence's items\n\nIf the argument is a tuple, the return value is the same object."
The same thing changed for integers and strings (and probably all other built-in types). The __doc__ check has always been hackish anyway. Ideas? Shane