[Zope-Checkins] CVS: Zope/lib/python/AccessControl - SimpleObjectPolicies.py:1.12.70.2

Jim Fulton jim at zope.com
Fri Jan 16 16:04:54 EST 2004


Update of /cvs-repository/Zope/lib/python/AccessControl
In directory cvs.zope.org:/tmp/cvs-serv16878/lib/python/AccessControl

Modified Files:
      Tag: Zope-2_7-branch
	SimpleObjectPolicies.py 
Log Message:
Changed the strategy for handling special list and dict methods.


=== Zope/lib/python/AccessControl/SimpleObjectPolicies.py 1.12.70.1 => 1.12.70.2 ===
--- Zope/lib/python/AccessControl/SimpleObjectPolicies.py:1.12.70.1	Thu Jan  8 18:33:43 2004
+++ Zope/lib/python/AccessControl/SimpleObjectPolicies.py	Fri Jan 16 16:04:52 2004
@@ -10,37 +10,34 @@
 # FOR A PARTICULAR PURPOSE
 #
 ##############################################################################
-"""Collect rules for access to objects that don\'t have roles.
+"""Collect some policies for s few built-in container objects.
 
-The rules are expressed as a mapping from type -> assertion
+   This module defines a registry, ContainerAssertions, that contains
+   some data that is used by the zope security policy and by zope
+   guards when considering whether to allow access to objects.
 
-An assertion can be:
+   The zope security policy and the zope guards use this data in
+   different ways.  The source code for those modules is the best
+   source of documentation for their use. :(
 
-  - A dict
+   The requirements for the values of ContainerAssertions is provided
+   here.
 
-  - A callable
+   The keys of ContainerAssertions are built-in types.
 
-  - Something with a truth value
+   The values must be one of:
 
-If the assertion is a callable, then it will be called with
-a name being accessed and the name used.  Its return value is ignored,
-but in may veto an access by raising an exception.
+   1 -- In this case access to attributes of instances of the type are
+        always allowed.  Access to items may be allowed, depending on
+        the item type and value. (Use the source.)
 
-If the assertion is a dictionary, then the keys are attribute names.
-The values may be callables or objects with boolean values. If a value
-is callable, it will be called with the object we are accessing an
-attribute of and the attribute name. It should return an attribute
-value. Callables are often used to returned guarded versions of
-methods.  Otherwise, accesses are allowed if values in this dictionary
-are true and disallowed if the values are false or if an item for an
-attribute name is not present.
+   a callable -- In this case, the callable will be called with the
+        attribute name and value and should return a true callable or
+        1. If 1 is returned, then access may be granted, otherwise the
+        second callable will be called with the original object, and
+        the attribute name, and should return an object that is
+        returned as the value of the attribute.
 
-If the assertion is not a dict and is not callable, then access to
-unprotected attributes is allowed if the assertion is true, and
-disallowed otherwise.
-
-XXX This descrition doesn't actually match what's done in ZopeGuards
-or in ZopeSecurityPolicy. :(
 
 $Id$
 """
@@ -52,25 +49,6 @@
 # Allow access to unprotected attributes
 Record.Record.__allow_access_to_unprotected_subobjects__=1
 
-# ContainerAssertions are used by cAccessControl to check access to
-# attributes of container types, like dict, list, or string.
-# ContainerAssertions maps types to a either a dict, a function, or a
-# simple boolean value.  When guarded_getattr checks the type of its
-# first argument against ContainerAssertions, and invokes checking
-# logic depending on what value it finds.
-
-# If the value for a type is:
-#   - a boolean value:
-#      - the value determines whether access is allowed
-#   - a function (or callable):
-#      - The function is called with the name of the attribute and
-#        the actual attribute value, then the value is returned.
-#        The function can raise an exception.
-#   - a dict:
-#      - The dict maps attribute names to boolean values or functions.
-#        The boolean values behave as above, but the functions do not.
-#        The value returned for attribute access is the result of
-#        calling the function with the object and the attribute name.
 
 ContainerAssertions={
     type(()): 1,




More information about the Zope-Checkins mailing list