[Zope-dev] Methods with no __roles__ defined no always protected?

Toby Dickenson tdickenson@geminidataloggers.com
Mon, 21 Aug 2000 13:41:53 +0100


On Mon, 21 Aug 2000 12:15:24 +0100, Chris Withers <chrisw@nipltd.com>
wrote:
>The SquishSite class has a method called item_count() which is used on
>one of the management pages. It currently isn't protected by any
>permissions or __roles__ and yet it still works fine on the management
>screen concerned.
>
>I thought this sort of thing was supposed to throw up an unauthorized
>error in 2.2?

No, for two reasons:

Firstly, I assume your management page is a dtml file on disk, not a
dtml object stored in the ZODB. dtml files bypass *all* security
checks. 

Secondly, all objects that inherit from OFS.Item.SimpleItem (that is,
almost all high level objects) have the
__allow_access_to_unprotected_subobjects__ flag set. Your method would
be callable from through-the-web dtml too.


The basic rules of Zope security are fairly easy; its the exceptions
that cause the problems.

Toby Dickenson
tdickenson@geminidataloggers.com