Chris Withers wrote:
Michael R. Schwab wrote:
The issue that I'm facing seems to be Zope's security model. The ZDG's security guide has even specified that object properties that are basic Python types cannot have their permissions set via the usual security.declarePublic() call (this includes 'id', 'meta_type', 'title').
This is true.
Yoru options are:
1. setDefaultAccess('deny') and then provide setter and accessor methdos for the attributes in question.
2. I believe setDefaultAccess can be passed a list or function that determines whether an attribute is accessible. You'd have to do some research on this.
Ok, to implement via option #2: Set the following security declarations: __roles__ = () security = ClassSecurityInfo() security.setDefaultAccess( {'id':1, 'meta_type':1, 'title':1} ) This allows public access to the 'id', 'meta_type', and 'title', but disallows access to all other properties such as 'ctime'. Alternatively, you can also specify an inaccessible property with 'ctime':0 in the security.setDefaultAccess() call. Its a bit of a hoop jumping lesson, but it works. Thanks Chris!
I don't want to specify security.setDefaultAccess( 'allow' ) as this would allow access to mutable types within my product from scripts and defeats the purpose of setting a strict default security policy.
Be careful. OFS.SimpleItem.SimpleItem does this anyway, so you'll have to ensure you specifically set the policy in your product.
cheers,
Chris