At 18:43 16/01/2002, you wrote: Sorry about cross-posting but I think the following info is worth reading for both zope-users and developers.
Note that up until Zope 2.5.0b4 there is a bug in the way module security assertions are handled that makes it impossible to declare more than one assertion without overwriting a previous assertion. It's not really a "security hole", it's just annoying and clearly broken. I'd suggest that you complain about this (or do it yourself) if you think a monkeypatch is in order for Zope 2.3/2.4.
I went to CVS and read AccessControl.SecurityInfo.py The code looked simple enough that I would take no risk by including it even if my understanding of the inner-working of Zope is still elementary. The following patch works to correct the problem for Zope 2.3.3. It does not seem to cause any other problem. # patch taken from Zope 2.5 from string import rfind # 1.5.2 syntax def ModuleSecurityInfo(module_name=None): if module_name is not None: modsec = _moduleSecurity.get(module_name, None) if modsec is not None: return modsec dot = rfind(module_name, '.') # 1.5.2 syntax if dot > 0: # If the module is in a package, recursively make sure # there are security declarations for the package steps # leading to the module modname = module_name[dot + 1:] pmodsec = ModuleSecurityInfo(module_name[:dot]) if not pmodsec.names.has_key(modname): pmodsec.declarePublic(modname) return _ModuleSecurityInfo(module_name) class _ModuleSecurityInfo(SecurityInfo): """Encapsulate security information for modules.""" in place of class ModuleSecurityInfo(SecurityInfo): """Encapsulate security information for modules.""" I do not know what you mean by a 'monkeypatch' but it is certainly worth it to add the patch to 2.3.x and 2.4.x branches.
Godefroid Chapelle wrote:
Casey Duncan wrote:
So the following things don't work:
from Products.Formulator.Form import FormValidationError
Either Martijn or you need to add the following lines to a Product __init__.py somewhere:
from AccessControl import ModuleSecurityInfo ModuleSecurityInfo('Products').declarePublic('Formulator') ModuleSecurityInfo('Products.Formulator').declarePublic('Form')
ModuleSecurityInfo('Products.Formulator.Form').declarePublic('FormValidationError')
Cheers,
Evan @ Zope
I added the above code in the corresponding __init__.py on my machine. Which works almost perfectly...: Further, I needed to be able to import : from Products.gvibDA.gvib.gvibExceptions import IntegrityError
So I added the following code in gvibDA's __init__.py from Products.PythonScripts.Utility import allow_module, allow_class from AccessControl import ModuleSecurityInfo, ClassSecurityInfo from Globals import InitializeClass ModuleSecurityInfo('Products').declarePublic('gvibDA') ModuleSecurityInfo('Products.gvibDA').declarePublic('gvib') ModuleSecurityInfo('Products.gvibDA.gvib').declarePublic('gvibExceptions') ModuleSecurityInfo('Products.gvibDA.gvib.gvibExceptions').declarePublic('IntegrityError')
from gvib.gvibExceptions import IntegrityError allow_class(IntegrityError)
I get an 'Unauthorized: Formulator' error when accessing a script beginning with from Products.Formulator.Form import FormValidationError from Products.gvibDA.gvib.gvibExceptions import IntegrityError
I suppose it has something to do with the creation of two instances of ModuleSecurityInfo('Products') but have no idea how to correct the problem. Any help would be appreciated.
--
Godefroid Chapelle BubbleNet sprl rue Victor Horta, 18 / 202 1348 Louvain-la-Neuve Belgium Tel + 32 (10) 459901 Mob + 32 (477) 363942 TVA 467 093 008 RC Niv 49849
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
-- Godefroid Chapelle BubbleNet sprl rue Victor Horta, 18 / 202 1348 Louvain-la-Neuve Belgium Tel + 32 (10) 459901 Mob + 32 (477) 363942 TVA 467 093 008 RC Niv 49849