[Zope-dev] Security still wierd

[Michael R. Bernstein]

I have a Python Product that I have mostly finished, and now I want to
add security to it. I am importing Globals.InitializeCLass and
AccessControl.ClassSecurityInfo. I am adding a ClassSecurityInfo
instance in my class, and I am calling InitializeClass on my class at
the bottom of the Module.

I have run into the following problem:

Classes in Python products that inherit from OFS.SimpleItem.SimpleItem
or OFS.SimpleItem.Item have an attribute set:

__allow_access_to_unprotected_subobjects__ = 1

This allows all class attributes and subobjects that are not explicitly
private or protected by a permission to be accessed from the restricted
code environment, or directly traversed into by a web browser.

Supposedly, setting __allow_access_to_unprotected_subobjects__ = 0
inside your class will return the behaviour to the default (access not
explicitly allowed is denied), but this doesn't seem to work for me.

Adding explicit permissions to methods *does* work, but only for
methods. Attributes such as dictionaries would be left unprotected.

Can anyone suggest what I might be doing wrong?

I am working with Zope 2.4

Thanks,

Michael Bernstein.