DiskBased products and security
Hi I'm following the example of "The Zope Bible" on how to create disk based products. after adding the imports, 'InitializeClass(class)' statement and the 'security = ClassSecurityInfo()' statement he recommends two other statements: 1. __roles__ = () - I didn't understand exactly why but with this statement I can't access the product either from the ZMI or directly from the web. 2. security.setDefaultAccess("deny") - I think I understand why we changed that, but it's causing a lot of problems. If I add 'delareProtected' for all my methods, I can access certain pages , but with some pages (maybe ones that's calling methods form base classes or acquisition like 'title_or_id') I still get errors ("Unauthorized: You are not allowed to access 'title_or_id' in this context"). trying to solve this I started adding 'declareProtected' for every method I got error for. I gave up after 3 methods, but it seem to help. so, I was wondering if something was changed in the security model since 2.5 (the version that the book is about) until 2.7, and is there a place where it's documented (the zope developer guide is versioned 2.4)? also, If I'll make sure that every method I have in my module is also declared as protected, or public, is there a problem with living the default access as any? thanx -- Haim
Haim Ashkenazi wrote at 2005-6-13 15:43 +0300:
... 1. __roles__ = () - I didn't understand exactly why but with this statement I can't access the product either from the ZMI or directly from the web.
This is a (deprecated) alternative for "security.declareObjectPrivate()".
2. security.setDefaultAccess("deny") - I think I understand why we changed that, but it's causing a lot of problems. If I add 'delareProtected' for all my methods, I can access certain pages , but with some pages (maybe ones that's calling methods form base classes or acquisition like 'title_or_id') I still get errors ("Unauthorized: You are not allowed to access 'title_or_id' in this context"). trying to solve this I started adding 'declareProtected' for every method I got error for. I gave up after 3 methods, but it seem to help.
Yes, many methods of "OFS.SimpleItem.SimpleItem" and its base classes rely on its "setDefaultAccess('allow')". If you change this to "deny", you have to provide the explicit security declarations.
so, I was wondering if something was changed in the security model since 2.5 (the version that the book is about) until 2.7, and is there a place where it's documented (the zope developer guide is versioned 2.4)?
"setDefaultAccess('deny')" had a bug in some earlier Zope versions. With the exception of this fix, nothing changed here for a long time. You can still use the Zope Developper Guide...
also, If I'll make sure that every method I have in my module is also declared as protected, or public, is there a problem with living the default access as any?
As what? The "default access" also controls access to attributes of simple type (strings, tuples, dicts, ...) which cannot have their own security declarations. If you do not access such attributes directly and you provide security declarations for all methods you use, then you can keep "defaultAccess == 'deny'". -- Dieter
On Mon, 13 Jun 2005 19:13:14 +0200, Dieter Maurer wrote:
Haim Ashkenazi wrote at 2005-6-13 15:43 +0300:
... 1. __roles__ = () - I didn't understand exactly why but with this statement I can't access the product either from the ZMI or directly from the web.
This is a (deprecated) alternative for "security.declareObjectPrivate()".
2. security.setDefaultAccess("deny") - I think I understand why we changed that, but it's causing a lot of problems. If I add 'delareProtected' for all my methods, I can access certain pages , but with some pages (maybe ones that's calling methods form base classes or acquisition like 'title_or_id') I still get errors ("Unauthorized: You are not allowed to access 'title_or_id' in this context"). trying to solve this I started adding 'declareProtected' for every method I got error for. I gave up after 3 methods, but it seem to help.
Yes, many methods of "OFS.SimpleItem.SimpleItem" and its base classes rely on its "setDefaultAccess('allow')".
If you change this to "deny", you have to provide the explicit security declarations.
so, I was wondering if something was changed in the security model since 2.5 (the version that the book is about) until 2.7, and is there a place where it's documented (the zope developer guide is versioned 2.4)?
"setDefaultAccess('deny')" had a bug in some earlier Zope versions. With the exception of this fix, nothing changed here for a long time. You can still use the Zope Developper Guide...
also, If I'll make sure that every method I have in my module is also declared as protected, or public, is there a problem with living the default access as any?
As what? sorry, I was unclear there :)
what I meant is if I won't leave any method undeclaired (security wise) in my class, will it be a security risc to leave the default access (setDefaultAccess('any'))? can I protect uncallable objects (like variables) the same way?
The "default access" also controls access to attributes of simple type (strings, tuples, dicts, ...) which cannot have their own security declarations.
If you do not access such attributes directly and you provide security declarations for all methods you use, then you can keep "defaultAccess == 'deny'".
thanx a lot for a very informative answer. Bye -- Haim
On Mon, 13 Jun 2005 21:07:56 +0300, Haim Ashkenazi wrote:
On Mon, 13 Jun 2005 19:13:14 +0200, Dieter Maurer wrote:
Haim Ashkenazi wrote at 2005-6-13 15:43 +0300:
... 1. __roles__ = () - I didn't understand exactly why but with this statement I can't access the product either from the ZMI or directly from the web.
This is a (deprecated) alternative for "security.declareObjectPrivate()".
2. security.setDefaultAccess("deny") - I think I understand why we changed that, but it's causing a lot of problems. If I add 'delareProtected' for all my methods, I can access certain pages , but with some pages (maybe ones that's calling methods form base classes or acquisition like 'title_or_id') I still get errors ("Unauthorized: You are not allowed to access 'title_or_id' in this context"). trying to solve this I started adding 'declareProtected' for every method I got error for. I gave up after 3 methods, but it seem to help.
Yes, many methods of "OFS.SimpleItem.SimpleItem" and its base classes rely on its "setDefaultAccess('allow')".
If you change this to "deny", you have to provide the explicit security declarations.
so, I was wondering if something was changed in the security model since 2.5 (the version that the book is about) until 2.7, and is there a place where it's documented (the zope developer guide is versioned 2.4)?
"setDefaultAccess('deny')" had a bug in some earlier Zope versions. With the exception of this fix, nothing changed here for a long time. You can still use the Zope Developper Guide...
also, If I'll make sure that every method I have in my module is also declared as protected, or public, is there a problem with living the default access as any?
As what? sorry, I was unclear there :)
what I meant is if I won't leave any method undeclaired (security wise) in my class, will it be a security risc to leave the default access (setDefaultAccess('any'))? can I protect uncallable objects (like variables) the same way? that was just me being stupid :) If I want to protect a variable, I can just give it a name starting with "_somename"...
Bye
The "default access" also controls access to attributes of simple type (strings, tuples, dicts, ...) which cannot have their own security declarations.
If you do not access such attributes directly and you provide security declarations for all methods you use, then you can keep "defaultAccess == 'deny'". thanx a lot for a very informative answer.
Bye
-- Haim
participants (2)
-
Dieter Maurer -
Haim Ashkenazi