[Zope-dev] Bugs in new Security Stuff :P (part 3)
Chris Withers
chrisw@nipltd.com
Tue, 22 Aug 2000 11:27:02 +0100
Finally...
I'm not convinced the new security stuff deals properly with attributes
other than simple methods.
here's the evidence, again from Squishdot (guess what I've been doing
;-)
You remember the Posting class? Well, Posting's objects have a text
attribute called 'subject'
Unless you have __allow_access_to_unprotected_subobjects__=1, you get
the following error after you hit cancel on the authentication dialog
box that pops up:
(well, I was getting an unauthorized error on subject, now I just get no
response from the server, not even an password dialog box :( That's
really bad...)
Anyway, on to the next example...
If you modify Squishfile by adding and:
__ac_permissions__=(
('View',
['file_name', 'file_type', 'content_type', 'file_bytes',
'file_kbytes', 'date_created', 'date_modified','icon','index_html'],
('Anonymous', 'Manager')),
)
and a:
Globals.default__class_init__(Squishfile)
at the end, things should work fine, of course they don't. Right now,
I'm just getting no response from the server, what I was getting (which
was better ;-) is an unauthorized error on 'icon'. icon is defined in
Squishfile as follows:
icon='misc_/Squishdot/squishfile_img'
...and is protected by the 'View' permission as you can see above.
What is going on ?!
Chris
PS: When do you and do you not mix in RoleManager? What does it do and
when is it needed?
PPS: If anyone wants to test this for themselves, let me know and I'll
check my code into the Squishdot public CVS (on a branch! ;-)