[Zope-dev] RFClarification: Security on Product Attributes
Chris Withers
chrisw@nipltd.com
Fri, 10 Nov 2000 12:09:23 +0000
Okay, apologies in advance for picking up a thread that's been dorman
for so long ;-)
Jim Fulton wrote:
>
> Chris Withers wrote:
> >
> > self.id = id
> > self.title = 'Title!'
> > self.anInt = 0
> > self.aString = 'testing'
> >
> None of the
> values above can have a __roles__ attribute, so they are covered
> by assertions made in their containers.
That's what I thought....
> Note that if you can't adequately control something that
> can't have __roles__, you can provide an access function
> (e.g. getAnInt), which you can control
>
> > Can I read them? I think the answer is yes for anInt and no for aString.
>
> Probably, if you can get at one, you can get at the other.
That's not my experience. If you try and use strings, you get dialog
boxes popping up. If you use ints, it works fine.
So, the problem is how to protect ints when you don't want people to get
at them... Adding accessors mean you have protected accessors bu there's
nothing to stop you just going and using the freely available original
attribute.
Strings; fine, at least they're secure, and when they become proper
objects in Python 2.0, the problem should go away?
cheers,
Chris