[Zope-dev] attribute protection question

[Brian Lloyd]

> Hmmm. Hence the problem with properties that meant OFS.Item.SimpleItem
> had to have __allow_access_to_unprotected_subobjects__=1?
> 
> Can you not just assign roles to properties as they're created or am I
> missing something else?

That's one way to do it - but it will require some thought 
to make sure we do it right. Having the "=1" assertion is 
a short-term solution intended to avoid breaking everyone's 
code for 2.2 while taking a step on the road to changing 
the default policy. I expect that it will soon make a 
distinction between properties and attributes that are not 
properties, which will be the next step on the road. I'd 
like to see this for 2.3, but I don't promise specific 
features for particular release numbers anymore :) 

I do want it to be Soon. My hope is that we'll release a 
2.x beta where:

  o far less things are available via the __allow_... hack

  o product authors and app builders will have auth problems 
    because they're using attrs formerly covered by the hack

  o the new security assertion spelling from dev.zope.org will 
    be available and make it much easier for people to go in 
    and protect the problem attrs correctly :)

  o most if not all of the Zope core will be using the new 
    assertion style, which will help the product authors along 
    with the "guide" to making security assertions that will 
    be a deliverable of that dev.zope.org project

  o we'll be one more step closer to where we want to be


Brian Lloyd        brian@digicool.com
Software Engineer  540.371.6909              
Digital Creations  http://www.digicool.com