[ZDP] BackTalk to Document Zope Developer's Guide (2.4 edition)/Security

webmaster@zope.org webmaster@zope.org
Tue, 13 May 2003 16:25:43 -0400 

A comment to the paragraph below was recently added via http://www.zope.org/Documentation/Books/ZDG/current/Security.stx#3-31

---------------

      The 'ClassSecurityInfo' class is defined in the 'AccessControl'
      package of the Zope framework. To declare class security
      information create a 'ClassSecurityInfo' class attribute named
      'security'.  The name 'security' is used for consistency and for
      the benefit of new component authors, who often learn from
      looking at other people's code. You do not have to use the
      name 'security' for the security infrastructure to recognize
      your assertion information, but it is recommended as a
      convention.  For example::

        from AccessControl import ClassSecurityInfo

        class Mailbox(ObjectManager):
          """A mailbox object that contains mail message objects."""

          # Create a SecurityInfo for this class. We will use this 
          # in the rest of our class definition to make security 
          # assertions.
          security = ClassSecurityInfo()

          # Here is an example of a security assertion. We are 
          # declaring that access to messageCount is public.
          security.declarePublic('messageCount')

          def messageCount(self):
            """Return a count of messages."""
            return len(self._messages)

        % Anonymous User - Jan. 23, 2003 9:54 am:
         How is security.declarePublic('messageCount') different from 
         messageCount__roles__=None ? Or is the latter way obsolete?

        % Anonymous User - May 13, 2003 4:25 pm:
         From looking at the source (and doing some debugging), I've concluded that ClassSecurityInfo is just another
         indirection the Zope folks have decided to place on us. If you look in the method apply() in
         AccessControl/SecurityInfo.py around line 220, you'll notice that it pretty much automates the creation of
         FooBar__roles__ attributes and the __ac_permissions__ .
         I don't see any Unit Tests for any of that code though, so I wouldn't bother with ClassSecurityInfo unless
         you're really into Zope voodoo and want your applications security to be automagically munged and then
         injected back into your object.