Hi everyone, Ok, I'm developing a python Product and have gotten to the stage where I am adding security declarations. I understand the default policy (once you've added a ClassSecurityInfo instance to the class and called InitializeClass(yourClass) ) should be to deny access to methods that don't have any security declarations. This doesn't seem to be the case. Even though I have *not* added security.setDefaultAccess("allow"), access to unprotected methods (both regular methods and HTMLFile methods) is being allowed rather than denied. Protecting methods with a permission works as it should. Can anyone help diagnose this? Michael Bernstein.
On 26 Jul 2001 10:08:23 +0100, Chris Withers wrote:
"Michael R. Bernstein" wrote:
Can anyone help diagnose this?
Are you subclassing from anything that inherits from SimpleItem?
I'm subclassing directly from SimpleItem. Is this a problem? Michael Bernstein.
"Michael R. Bernstein" wrote:
On 26 Jul 2001 10:08:23 +0100, Chris Withers wrote:
"Michael R. Bernstein" wrote:
Can anyone help diagnose this?
Are you subclassing from anything that inherits from SimpleItem?
I'm subclassing directly from SimpleItem. Is this a problem?
SimpleItem allows public access to all attributes of any class that subclasses from it. Welcome to hell ;-) Chris
On 26 Jul 2001 10:18:25 +0100, Chris Withers wrote:
"Michael R. Bernstein" wrote:
On 26 Jul 2001 10:08:23 +0100, Chris Withers wrote:
"Michael R. Bernstein" wrote:
Can anyone help diagnose this?
Are you subclassing from anything that inherits from SimpleItem?
I'm subclassing directly from SimpleItem. Is this a problem?
SimpleItem allows public access to all attributes of any class that subclasses from it.
Ok. I assume that doing 'security.setDefaultAccess("allow")' in my class will fix things?
Welcome to hell ;-)
Any other security pitfalls I need to be wary of? Thanks, Michael Bernstein.
"Michael R. Bernstein" wrote:
Hi everyone,
Ok, I'm developing a python Product and have gotten to the stage where I am adding security declarations. I understand the default policy (once you've added a ClassSecurityInfo instance to the class and called InitializeClass(yourClass) ) should be to deny access to methods that don't have any security declarations.
This doesn't seem to be the case. Even though I have *not* added security.setDefaultAccess("allow"), access to unprotected methods (both regular methods and HTMLFile methods) is being allowed rather than denied.
Protecting methods with a permission works as it should.
Can anyone help diagnose this?
Does your component derive from SimpleItem? If so, you are inadvertantly inheriting __allow_access_to_unprotected_subobjects__. Unfortunately, this means that almost all Zope objects inherit this, including yours, I presume. The way around this is to either set the above class attribute (in *your* class) to zero, or protect everything with a permission. -Michel
On 26 Jul 2001 08:53:37 -0700, Michel Pelletier wrote:
"Michael R. Bernstein" wrote:
This doesn't seem to be the case. Even though I have *not* added security.setDefaultAccess("allow"), access to unprotected methods (both regular methods and HTMLFile methods) is being allowed rather than denied.
Protecting methods with a permission works as it should.
Can anyone help diagnose this?
Does your component derive from SimpleItem? If so, you are inadvertantly inheriting __allow_access_to_unprotected_subobjects__. Unfortunately, this means that almost all Zope objects inherit this, including yours, I presume.
The way around this is to either set the above class attribute (in *your* class) to zero, or protect everything with a permission.
Ok, thanks. this seems counter to the thrust of the security chapter in the developers guide, where it pretty much unequivocally states that unless your class has 'security.setDefaultAccess("allow")', it will follow the default policy, which is to deny the access. Is the dev-guide intended to reflect an ideal that Zope hasn't achieved yet? Will future versions of Zope reverse this behaviour of SimpleItem? Thanks, Michael Bernstein.
On 26 Jul 2001 08:53:37 -0700, Michel Pelletier wrote:
"Michael R. Bernstein" wrote:
Hi everyone,
Ok, I'm developing a python Product and have gotten to the stage where I am adding security declarations. I understand the default policy (once you've added a ClassSecurityInfo instance to the class and called InitializeClass(yourClass) ) should be to deny access to methods that don't have any security declarations.
This doesn't seem to be the case. Even though I have *not* added security.setDefaultAccess("allow"), access to unprotected methods (both regular methods and HTMLFile methods) is being allowed rather than denied.
Protecting methods with a permission works as it should.
Can anyone help diagnose this?
Does your component derive from SimpleItem? If so, you are inadvertantly inheriting __allow_access_to_unprotected_subobjects__. Unfortunately, this means that almost all Zope objects inherit this, including yours, I presume.
The way around this is to either set the above class attribute (in *your* class) to zero, or protect everything with a permission.
I've tried this, and have not been able to get it to work. For whatever reason, the default security policy is *not* working WRT my code. an anonymous user has access to all unprotected methods and subobjects. I can provide my code for examination, if that will help. Michael Bernstein.
participants (3)
-
Chris Withers -
Michael R. Bernstein -
Michel Pelletier