Envoking Zope's security manually?
Hi there. What is the proper way to validate zope's security in an unrestricted script? ...object = make a request object and wrap the root zope object... result = object.aq_acquire(methodName) if not AccessControl.getSecurityManager().validate(object, None, methodName, result): raise Exception('Unauthorised:' + methodName) I know this should be close to what is should be. But what about an objects properties, and accessing their __str__ and __call__ type methods. Is there a formal way of envoking Zope's security? Thanks Herman _________________________________________________________________ Rain, shine, sleet, snow? Find out at MSN Weather! http://www.msn.co.za/weather/
herman geldenhuys wrote at 2004-1-8 17:27 +0200:
What is the proper way to validate zope's security in an unrestricted script?
...object = make a request object and wrap the root zope object...
result = object.aq_acquire(methodName) if not AccessControl.getSecurityManager().validate(object, None, methodName, result): raise Exception('Unauthorised:' + methodName)
I know this should be close to what is should be. But what about an objects properties, and accessing their __str__ and __call__ type methods.
I am almost sure that they are not protected in a special way. This means: when you can access the object (as checked above) and the object has an "__str__" or "__call__" method, then you can use "str(obj)" and "obj(...)" with further restriction by the security machinery. Tell me, when you are able to prove me wrong... -- Dieter
participants (2)
-
Dieter Maurer -
herman geldenhuys