Re: [ZPT] accessing object attributes from python expression raises error
On Tue, 2002-01-08 at 14:01, Evan Simpson wrote:
Michael R. Bernstein wrote:
[snip stuff about accessing a browser_id_manager's meta_type from unrestricted code raising an unauthorized exception]
Will this be fixed for 2.5 final?
That depends. We're currently waiting for feedback on 2.5b3. Depending on how that goes, these changes may need to wait for 2.5.1.
Perhaps I am under-estimating how difficult the fix is. I'm assuming that you simply need to add an appropriate security declaration to the BrowserIdManager class... Oh, wait... meta_type is an attribute, so you can't just do security.declareProtected(ACCESS_CONTENTS_PERM, 'meta_type') Hmm... The id attribute has the getId method, perhaps what's required is a getMetaType method that can be suitably protected? This would still be a pretty easy fix: security.declareProtected(ACCESS_CONTENTS_PERM, 'getMetaType') def getMetaType(self): """ """ return self.meta_type Am I missing something? Michael Bernstein.
meta_type is an attribute, so you can't just do
security.declareProtected(ACCESS_CONTENTS_PERM, 'meta_type')
That's right.
The id attribute has the getId method, perhaps what's required is a getMetaType method that can be suitably protected?
This would still be a pretty easy fix:
security.declareProtected(ACCESS_CONTENTS_PERM, 'getMetaType') def getMetaType(self): """ """ return self.meta_type
Am I missing something?
Nope, that would work. But I think also: meta_type__roles__ = None .. as a class attr would work as well. I'll try it and let you know if it works. -- Chris McDonough Zope Corporation http://www.zope.org http://www.zope.com "Killing hundreds of birds with thousands of stones"
From: "Chris McDonough":
meta_type is an attribute, so you can't just do
security.declareProtected(ACCESS_CONTENTS_PERM, 'meta_type')
That's right.
The id attribute has the getId method, perhaps what's required is a getMetaType method that can be suitably protected?
This would still be a pretty easy fix:
security.declareProtected(ACCESS_CONTENTS_PERM, 'getMetaType') def getMetaType(self): """ """ return self.meta_type
Am I missing something?
Nope, that would work. But I think also:
meta_type__roles__ = None
.. as a class attr would work as well.
I'll try it and let you know if it works.
security.setDefaultAccess({'meta_type': 1}) should do the parameter is what has been __allow_access_to_unprotected_subobjects__, that can be a boolean, dictionary or callable
On Wed, 2002-01-09 at 01:40, Wolfram Kerber wrote:
From: "Chris McDonough":
meta_type is an attribute, so you can't just do
security.declareProtected(ACCESS_CONTENTS_PERM, 'meta_type')
That's right.
The id attribute has the getId method, perhaps what's required is a getMetaType method that can be suitably protected?
This would still be a pretty easy fix:
security.declareProtected(ACCESS_CONTENTS_PERM, 'getMetaType') def getMetaType(self): """ """ return self.meta_type
Am I missing something?
Nope, that would work. But I think also:
meta_type__roles__ = None
.. as a class attr would work as well.
I'll try it and let you know if it works.
security.setDefaultAccess({'meta_type': 1}) should do
the parameter is what has been __allow_access_to_unprotected_subobjects__, that can be a boolean, dictionary or callable
Interesting. I didn't think you could have more than one setDefaultAccess in a class. If you can, then you can set: security.setDefaultAccess('deny') security.setDefaultAccess({'meta_type': 1}) But otherwise, you would have to list all attributes of the class in the dict of a single statement, wouldn't you? Michael Bernstein.
Interesting. I didn't think you could have more than one setDefaultAccess in a class. If you can, then you can set:
security.setDefaultAccess('deny') security.setDefaultAccess({'meta_type': 1})
The last 'setDefaultAccess' statement in a class will define the actual behaviour, i.e use only one.
But otherwise, you would have to list all attributes of the class in the dict of a single statement, wouldn't you?
No, all attributes that aren't in the dict are private. Wolfram
On Wed, 2002-01-09 at 10:13, Wolfram Kerber wrote:
I didn't think you could have more than one setDefaultAccess in a class. If you can, then you can set:
security.setDefaultAccess('deny') security.setDefaultAccess({'meta_type': 1})
The last 'setDefaultAccess' statement in a class will define the actual behaviour, i.e use only one.
But otherwise, you would have to list all attributes of the class in the dict of a single statement, wouldn't you?
No, all attributes that aren't in the dict are private.
Thanks, Wolfram. That was very informative. This will let classes that use declarative security have a deny by default policy, while still allowing access to certain attributes for backward compatibility. Michael Bernstein.
This has been used to solve the problem seen by Michael when iterating over items and getting "meta_type" where the sessioning objects were in the list of items being iterated over. Michael R. Bernstein wrote:
On Wed, 2002-01-09 at 10:13, Wolfram Kerber wrote:
I didn't think you could have more than one setDefaultAccess in a class. If you can, then you can set:
security.setDefaultAccess('deny') security.setDefaultAccess({'meta_type': 1})
The last 'setDefaultAccess' statement in a class will define the actual behaviour, i.e use only one.
But otherwise, you would have to list all attributes of the class in the dict of a single statement, wouldn't you?
No, all attributes that aren't in the dict are private.
Thanks, Wolfram. That was very informative.
This will let classes that use declarative security have a deny by default policy, while still allowing access to certain attributes for backward compatibility.
Michael Bernstein.
participants (3)
-
Chris McDonough -
Michael R. Bernstein -
Wolfram Kerber