[Zope-CMF] [dev] wrapping users - a proposal
yuppie
y.2011 at wcm-solutions.de
Tue Feb 22 12:06:07 EST 2011
Hi!
Charlie Clark wrote:
> Am 22.02.2011, 11:46 Uhr, schrieb yuppie<y.2011 at wcm-solutions.de>:
>> 2.) direct MemberData property access
>> -------------------------------------
>> Wrapped users are now MemberAdapter objects. So wrapped users no longer
>> have attributes like 'email' or 'listed'. This is a security improvement
>> because you can't bypass the API with its permission checks.
>> But 'member.email' is more convenient than 'member.getProperty('email')'
>> and used in many places. I fixed these in CMF itself, it I'm afraid that
>> change will break a lot of third party code.
>> I propose to add read-only properties that return the values in a modern
>> format (datetime instead of DateTime, unicode instead of encoded
>> strings).
>
>> Question:
>> Should we support a fixed schema with the default member data properties
>> or should we use a customized __getattr__ method?
>
> If the access is always via the adapter then I would prefer a customised
> __getattr__
I'm still not sure how to resolve this.
MemberAdapter objects are used in untrusted code and it might be
complicated to set permissions correctly for __getattr__ access. (At
least I never tried that.)
It also would be nice to have a well defined interface for default
member properties.
So I tend to a fixed schema. People still can add custom properties, but
they would have to use getProperty or override MemberAdapter.
Cheers,
Yuppie
More information about the Zope-CMF
mailing list