[Zope-dev] security.declareProtected doesn't always work?
Dieter Maurer
dieter@handshake.de
Wed, 2 Jan 2002 21:43:20 +0100
Martijn Faassen writes:
> I have some issues with using declareProtected() outside product
> classes (deriving from ObjectManager or SimpleItem). An external method
> example that _does_ work, taken from the ZDG:
>
> import Globals
> import Acquisition
> from AccessControl import ClassSecurityInfo
>
> class Book(Acquisition.Implicit):
> def __init__(self, title):
> self._title=title
>
> # Create a SecurityInfo for this class
> security = ClassSecurityInfo()
> security.declareObjectPublic()
>
> security.declarePublic('getTitle')
> def getTitle(self):
> return self._title
>
> Globals.InitializeClass(Book)
>
> # The actual external method
> def GetBooks(self):
> books=[]
> books.append(Book('King Lear'))
> books.append(Book('Romeo and Juliet'))
> books.append(Book('The Tempest'))
> return books
>
> Now replace the line "security.declarePublic('getTitle')" with something like
> "security.declareProtected('View', 'getTitle')", and suddenly nobody is
> allowed to call getTitle() on a Book object anymore.
You must acquistion wrap your book objects. Otherwise, Zope's
security code is unable to find the permission-role mapping.
Try:
return books.__of__(self)
Dieter