[Zope-dev] Re: hack for refused authorization with virtual dataskin
Phillip J. Eby
pje@telecommunity.com
Mon, 23 Apr 2001 15:55:03 -0400
At 01:37 PM 4/23/01 +0200, Godefroid Chapelle wrote:
>Hello,
>
>
>After rereading the ZopeSecurityPolicy source code, I tried the
>following hack.
>
>I add in the skinscript :
>
>WITH 1 COMPUTE __allow_access_to_unprotected_subobjects__=RESULT
>
>which does work : it fools the security mechanism.
>
>I can live with it but feel that there is only a slight problem which
>could allow me to avoid the hack.
>
>I hope this can hint some of you to help me to understand what is badly
>settled in my installation.
It sounds to me like you need to be using the getId() method instead of the
.id attribute. I think that the id attribute is being phased out in favor
of getId().
I'm somewhat reluctant to enable access to unprotected subobjects in the
DataSkin base class; it seems a little too broad of an access level. The
other alternative would be to allow SkinScript expressions free rein as
regards security - but that's too broad also. The optimum would be to
allow SkinScript expressions full access to the targeted DataSkin's direct
attributes, but normal (validated) access to everything else, but I'm not
sure how to do this safely.
This is an example of why I consider ZPatterns a hack - too many places
where it depends on Zope innards like this.