[Zope-dev] Bugs in new Security Stuff :P (part 3)

[Chris Withers]

Finally...

I'm not convinced the new security stuff deals properly with attributes
other than simple methods.

here's the evidence, again from Squishdot (guess what I've been doing
;-)

You remember the Posting class? Well, Posting's objects have a text
attribute called 'subject'

Unless you have __allow_access_to_unprotected_subobjects__=1, you get
the following error after you hit cancel on the authentication dialog
box that pops up:

(well, I was getting an unauthorized error on subject, now I just get no
response from the server, not even an password dialog box :( That's
really bad...)

Anyway, on to the next example...

If you modify Squishfile by adding and:

    __ac_permissions__=(
        ('View',
         ['file_name', 'file_type', 'content_type', 'file_bytes',
'file_kbytes', 'date_created', 'date_modified','icon','index_html'],
         ('Anonymous', 'Manager')),
         )

and a:

Globals.default__class_init__(Squishfile)

at the end, things should work fine, of course they don't. Right now,
I'm just getting no response from the server, what I was getting (which
was better ;-) is an unauthorized error on 'icon'. icon is defined in
Squishfile as follows:

    icon='misc_/Squishdot/squishfile_img'

...and is protected by the 'View' permission as you can see above.

What is going on ?!

Chris

PS: When do you and do you not mix in RoleManager? What does it do and
when is it needed?

PPS: If anyone wants to test this for themselves, let me know and I'll
check my code into the Squishdot public CVS (on a branch! ;-)