Your Python code indentation did not make it successfully through email so I can only guess what the code really means. But here's a more verbose description of a solution with an entirely separate set of domain objects. Say you have an object that you want to return that cannot be protected with security declarations (perhaps attributes cant be set on it because it's an instance of a C-defined type that doesn't have a setattr), call this "foo". Say that it has methods "getOne" and "getTwo" that you want to use in TTW code. Say that getOne and getTwo don't return "complex" objects (instances), but normal Python objects like strings (which dont need their own security declarations): You would define a wrapper class in your external method like so: class FooWrapper: security = ClassSecurityInfo() security.declareObjectPublic() def __init__(self, real_foo): self.real_foo = real_foo security.declarePublic('getOne') def getOne(self): return self.real_foo.getOne() security.declarePublic('getTwo') def getTwo(self): return self.real_foo.getTwo() Globals.Initialize(FooWrapper) And an external method to make use of the wrapper would look something like: def getAFoo(self, name): import foo inst = foo.foo(name) return FooWrapper(inst) As long as getOne and getTwo return "basic" python types this wrapper will work. If the methods return instances, classes, or anything that is not a string, list, dict, or tuple, you will not be able to do anything with the return values due to the security machinery. There are ways around this (namely, setting an attribute on a returned instance called "__allow_access_to_unprotected_subobjects__"), but if you're going to go this far it'd probably be better to use an external method. - c ----- Original Message ----- From: "J. Joy" <kyroraz@yahoo.com> To: "Chris McDonough" <chrism@zope.com>; <zope@zope.org> Sent: Tuesday, July 09, 2002 3:40 PM Subject: Re: [Zope] Object permissions in External Methods with XML
Okay... I've given this a few tries, but I can't quite seem to nail it down. I can get to the initial object, but anything deeper and I run into more access restrictions. It seems to be copying a reference rather than the material, so I might have to find a way to explicitly copy the data from the one object to the other as equals doesn't seem to be the way to do it.
This is what I have thus far:
---
import gnosis.xml.objectify as xp from AccessControl import ClassSecurityInfo from Acquisition import Implicit import Globals
class Container(Implicit): security = ClassSecurityInfo() security.declareObjectPublic() security.setDefaultAccess('allow') security.declarePublic('xml_to_py')
def xml_to_py(self):
object = xp.XML_Objectify('/tmp/sample.xml') returning = object._PyObject
## Here is one idea I had, put it into a object like info and then return it, didn't work so well... info = [] transport = Container() info.append(returning)
return (returning)
def xml_to_py(self):
Globals.InitializeClass(Container)
xml_transport = Container() print dir(xml_transport.xml_to_py()) print dir(xml_transport.xml_to_py().UserRequest) return (xml_transport.xml_to_py().UserRequest)
Globals.InitializeClass(Container)
---
I've gone though the security documents, but I don't seem to be able to find anything special about unsecuring such a issue specific to this case.
--- Chris McDonough <chrism@zope.com> wrote:
You need to make security declarations on the *returned object* (which in this case is "object._PyObject". I dont have any idea what this is but what you probably want to do is return an instance of a class which has security declarations that *wraps* this object's methods.
__________________________________________________ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com