[Zope-CMF] Security behavior question

Doyon, Jean-Francois Jean-Francois.Doyon@CCRS.NRCan.gc.ca
Mon, 17 Dec 2001 16:00:52 -0500 

Tres,

Yup, that did it. Good to know the default behavior of PortalContent too ...
one less line of code :)

Thanks for the help!
J.F.

-----Original Message-----
From: Tres Seaver [mailto:tseaver@zope.com]
Sent: Monday, December 17, 2001 1:49 PM
To: Doyon, Jean-Francois
Cc: Zope-Cmf
Subject: Re: [Zope-CMF] Security behavior question


Doyon, Jean-Francois wrote:

> Tres,
> 
> Thanks for the quick reply!
> 
> The behavior you describe is what I was expecting.
> 
> Actually I have a customized "document_view" that behaves normally.  It
> seems the problem occurs only with my DTML method (Part of a skin) that I
> created from scratch (instead of using a default one and clicking
> "customize") ...
> 
> It should be noted that the object I'm "viewing" is actually a custom one
I
> created and added to the list of CMFDefault object types.  Could the
problem
> come from that? I'm pretty sure all my security declarations are correct,
> I'll revisit them, but it's a real basic object with only one property.
> 
> As for your questions, nope I didn't change anything as far as security
> settings, at least not for the "anonymous" role ... (Well I removed the
> ability to join the portal, but that's it).  My method has the exact same
> security properties set on it than the customized document_view , and
> neither have any Proxy roles defined.
> 
> As for the caching, I just tested that and nope ... the third way of doing
> it still gets me in ...
> 
> Hmmm ... And "document_view" and "map_interactive" (My DTML Method) both
> live in the "custom" skin folder, which means that permission inheritance
is
> also the same ...
> 
> Ha ha ... I like to work from examples, and I'm noticing the the
Document's
> CookedBody has a delcareProtected set on it ... Which makes sense, but I
> don't have that kind of declaration on my object, since there's no method
in
> my class ... My object simply sets a property use by the skin. How would I
> go about declaring a security conditionon accessing a proerty instead of a
> method (or function, whatever the python parlance is :)?
> 
> I guess I would have to add a new permission setting and instead of doing
a
> declareObjectPublic I would use a declareObjectProtected(<permission
name>)
> ?

Yes, that seems like the problem.  The skin methods themselves
aren't protected (can't be, given the skins architecture);  they
rely on the underlying objects' protections.  If you change just
the one line in your class from 'security.declareObjectPublic()' to
'security.declareObjectProtected( "View" )', your issue should
vanish (actually, you could probably just delete the line, as
PortalContent already says that).

Tres.
-- 
===============================================================
Tres Seaver                                tseaver@zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com