[Zope-dev] Removing the acquisition wrapper from an object (Python script)
Gilles Lenfant
gilles@pilotsystems.net
Thu, 1 Aug 2002 17:50:11 +0200
----- Original Message -----=20
From: "Toby Dickenson" <tdickenson@geminidataloggers.com>
To: "Gilles Lenfant" <gilles@pilotsystems.net>; <zope-dev@zope.org>
Sent: Thursday, August 01, 2002 3:51 PM
Subject: Re: [Zope-dev] Removing the acquisition wrapper from an object =
(Python script)
On Thursday 01 Aug 2002 2:44 pm, Gilles Lenfant wrote:
>> I can't understand that reason because it's also easy to strip away =
an
>> object's security settings in an untrusted python script that has a =
Manager
>> proxy. Well, I'm gonna make my 2 or 3 lines External method :(
>If thats true, its a bug. a serious one too. Please file an example in =
the=20
>collector
Toby,
It's definitively *NOT* a bug but a feature that's completely =
documented.
Most Zope objects inherit of RoleManager class. This class has (among =
others) this method :
manage_permission(self, permission_to_manage, roles=3D[], acquire=3D0, =
REQUEST=3DNone)
Just use this method in an "untrusted" python script on any Zope object, =
add to it Manager proxy, and you're done.
--Gilles