[Zope-dev] Security Gurus Wanted

vio vmilitaru@sympatico.ca
Sat, 19 Jan 2002 10:43:19 -0500 

* vio <vmilitaru@sympatico.ca> [020119 09:56]:
> vio wrote:
> > Just a word to thank you for your reply. 
> > But incidently, wouldn't it be a good idea for Globals.InitializeClass() 
> > to throw an error
> > or a warning of some kind for hanging 'security.stuff()' declarations,
> > declarations which do not have a related ClassSecurityInfo object AT THE
> > CLASS LEVEL? 
> 
> That would be a fine idea. Unfortunately, there is no straightforward 
> way telling that you called methods on the security object in the class 
> definition.

Why not simply check for the keyword 'security.' in the class source ? 
Anything beginning with that word most probably has something to do with 
security. But if 'security' is not a reference to a security object,
just throw an exception. This would make everything so much simpler.

> 
> When you call Globals.InitializeClass(your_class), it looks for a 
> ClassSecurityInfo object, and doesn't find one.


If I understood correctly, this should be treated like an error:
not allow the programmer to have calls to security methods which
aren't there, because that's more or less what's happening here. And
definitely not be silent about it !!! That's a syntax error or something.

So Globals.InitializeClass(your_class) finds the declaration 
'security.declareSomething()' inside a class, but 'security' being
a reference to a ClassSecurityInfo object AT THE MODULE LEVEL somehow has 
no effect at the class level (while I wrongly thought that by declaring it
at the module level like that, it will behave more or less like a 'global'
variable). I wonder what was carried at the class level, but something 
definitely was, else Python would have thrown something ugly at me.

In my opinion, Globals.InitializeClass() should check such calls to
security methods, and by all means NOT remain silent if it can not carry out 
the call because it couldn't find a ClassSecurityInfo object's method. 
Throw a 'method not found' error or something like that. 
Silence = 'bad'. I'll even say it's a bug.

Vio