[Zope-dev] Security Wierdness

[Michael R. Bernstein]

On 26 Jul 2001 08:53:37 -0700, Michel Pelletier wrote:
> "Michael R. Bernstein" wrote:
> > 
> > Hi everyone,
> > 
> > Ok, I'm developing a python Product and have gotten to the stage where I
> > am adding security declarations. I understand the default policy (once
> > you've added a ClassSecurityInfo instance to the class and called
> > InitializeClass(yourClass) ) should be to deny access to methods that
> > don't have any security declarations.
> > 
> > This doesn't seem to be the case. Even though I have *not* added
> > security.setDefaultAccess("allow"), access to unprotected methods (both
> > regular methods and HTMLFile methods) is being allowed rather than
> > denied.
> > 
> > Protecting methods with a permission works as it should.
> > 
> > Can anyone help diagnose this?
> 
> Does your component derive from SimpleItem?  If so, you are
> inadvertantly inheriting __allow_access_to_unprotected_subobjects__. 
> Unfortunately, this means that almost all Zope objects inherit this,
> including yours, I presume.
> 
> The way around this is to either set the above class attribute (in
> *your* class) to zero, or protect everything with a permission.

I've tried this, and have not been able to get it to work. For whatever
reason, the default security policy is *not* working WRT my code. an
anonymous user has access to all unprotected methods and subobjects.

I can provide my code for examination, if that will help.

Michael Bernstein.