[Zope-dev] dynamic patch and security declaration (was: hotfix and ...)

Yuppie schubbe@web.de
Tue, 06 Aug 2002 13:07:27 +0200


Hi!

Steve Alexander wrote:
> Are you writing an urgent ad-hoc security update that is important and 
> can't wait until the next official release of your product?
> 
> If not, you're writing a "dynamic patch" or "monkey patch", not a hotfix.

I don't want to argue about that. Perhaps Casey Duncan should rename his 
how-to. ( http://www.zope.org/Members/Caseman/Dynamic_Hotfix )

>> 1.) adding a new Method:
>> Is the following code safe? Or is there a better way to do that?
>>
>> <code>
>> from Globals import InitializeClass
>> from AccessControl import ClassSecurityInfo
>> from Products.oldProduct import oldClass
>>
>> def newMethod(self):
>>    pass
>>
>> oldClass.security = ClassSecurityInfo()
>> oldClass.security.declareProtected( 'View', 'newMethod' )
>> oldClass.newMethod = newMethod
>>
>> InitializeClass(oldClass)
>> </code>
> 
> 
> I think this might wipe out the old security assertions, but I'm not sure.

Tested this. InitializeClass seems to append the new assertions.

>> 2.) override security declaration:
>>
>> <code>
>> oldClass.security.declareProtected( 'View', 'oldMethod' )
>> InitializeClass(oldClass)
>> </code>
>>
>> This code raises a conflict warning and doesn't change the setting.
>> The ZDG says: "it is not legal to declare two conflicting permissions 
>> on a method".
>> Why is it illegal? Why will it only accept the first declaration and 
>> not override it? Is there an other solution?
> 
> 
> I'm surprised that this works, as I would have expected oldClass to have 
> been initialized already. As far as I can remember, initializing a class 
> causes any attributes that are of type ClassSecurityInfo to be 
> processed, then removed from the class.

Sorry. That was not the complete code. I first created a new 
ClassSecurityInfo for oldClass.

> Do you really need to dynamicaly patch to do this?

Just thought there might be an easy solution.

> Perhaps instead you can subclass the original class, and then overwrite 
> the name of the original class in its module with your new class.

I'll have a look at this. If it works from a dynamic patch that's all I 
need.

Thanks!

Yuppie