On Fri, Dec 02, 2005 at 11:57:16PM +0100, Florent Guillaume wrote:
Paul Winkler wrote: (snip)
Well, the thing is, the declaration that makes the method public *has no effect* unless your class participates in acquisition.
That's not true. The objects of this class will be perfectly accessible to a restricted user:
from AccessControl import ClassSecurityInfo class MyStuff(object): security = ClassSecurityInfo() security.declareObjectPublic() security.setDefaultAccess('allow') def foo(self): return 'bar' InitializeClass(MyStuff)
Which also can be written more shorly an less invasively:
class MyStuff(object): def foo(self): return 'bar' from AccessControl import allow_class allow_class(MyStuff)
So it is. Thanks for the clarification. What confused me is that the following *does* need the inheritance from Acquisition: from Acquisition import Implicit class Foo3(Implicit): security = ClassSecurityInfo() security.declarePublic('bar') def bar(self): return "hello from foo3" InitializeClass(Foo3) In this case, if you remove the (Implicit), you get AccessDenied because "The container has no security assertions". I mistakenly assumed that the same was necessary when using allow_class. Thanks for clearing that up.
Oh, and the instance needs to be given an acquisition context, too. e.g. foo = foo.__of__.some_parent
It's only if you want to protect a method with a specific permission that's not public or private that you'll have to provide acquisition context so that Zope can find out what roles have this permission and match them against the current user's roles:
Apparently you're right about this too :-) I never knew that. Thanks. -- Paul Winkler http://www.slinkp.com