[ZCM] [ZC] 1202/ 4 Comment "setDefaultAccess('deny') vs context"

Collector: Zope Bugs, Features, and Patches ... zope-coders-admin at zope.org
Wed Jan 28 01:09:15 EST 2004 

Issue #1202 Update (Comment) "setDefaultAccess('deny') vs context"
 Status Accepted, Zope/bug medium
To followup, visit:
  http://collector.zope.org/Zope/1202

==============================================================
= Comment - Entry #4 by Zen on Jan 28, 2004 1:09 am

This particular issue still has not yet been addressed (the attached code, when running with the 'deny' security assertion enabled, works under 2.7b3 but fails under the latest 2.7 CVS).

If an object does security.setDefaultAccess('deny'), then any scripts it contains cannot access context/container etc. This might be considered correct, although I can't think of a use case for this behavior.

If deemed correct behavior, there needs to be a blessed way of saying 'deny access to unprotected attributes, but let references to bound variables though'. This can currently be spelled security.setDefaultAccess({'':1})
________________________________________
= Comment - Entry #3 by tseaver on Jan 27, 2004 3:21 pm

Can you test against the head of the 2.7 branch today?  If
our recent checkins have fixed your problem, we would like
to cut a new release candidate tomorrow.
________________________________________
= Accept - Entry #2 by tseaver on Jan 26, 2004 6:04 pm

 Status: Pending => Accepted

 Supporters added: tseaver

I think I fixed the equivalent problem today for the
2.6 branch;  I will be porting the fix to 2.7 and the
head tomorrow.
________________________________________
= Request - Entry #1 by Zen on Jan 23, 2004 7:39 pm


Uploaded:  "AccessEg.py"
 - http://collector.zope.org/Zope/1202/AccessEg.py/view
If a parent object has tightened security by using security.setDefaultAccess(), child scripts can no longer access their context. The workaround is to do security.setDefaultAccess({'':1}) instead of security.setDefaultAccess('deny'), but this is not yet documented and I'm unsure if this opens security issues.

Should policy.validate(name='') be changed to cope with this situation, or is the fix to document the workaround and require modifications to product source?

This issue has been reported by at least one user other than myself.

I've attached a minimal example.
==============================================================

More information about the Zope-Collector-Monitor mailing list