[Zope-dev] Security assertions / non-acquired objects

Jens Vagelpohl jens@zope.com
Mon, 16 Sep 2002 08:27:20 -0400 

security declarations need acquisition contexts to work AFAIK...

maybe you could hack around that by setting (hack!) 
__allow_access_to_unprotected_subobjects__ = 1 in your APStory class. 
or you have to make sure you wrap every APStory in the context of a 
valid zope object with __of__ before you access anything on them.

jens

On Monday, Sep 16, 2002, at 01:25 US/Eastern, sean.upton@uniontrib.com 
wrote:

> I have been spending a bunch of time pulling my hair out on this one, 
> so any
> insight that anyone might have would be appreciated.
>
> I have been building a product that takes advantage of a module that I 
> have
> built to query an external data source (NNTP server for AP wire 
> stories) for
> items to be imported into a CMF site.  The product has an adapter that
> returns a list of temporary objects to get access at external data. The
> query method for the adapter that I have set up returns a plain-old 
> list of
> objects of a custom class; I would like to be able to get access to 
> these
> objects and their methods with TTW python scripts.  However, no matter 
> what
> security assertions I put into the class for the said objects, I still 
> get
> something along the line of:
>
> The container has no security assertions. Access to 'Title' of (APStory
> instance at a6704a0) denied.
>
> I'm not sure if the security assertions are not working because the 
> objects
> within the list returned by my adapter object have no acquisition 
> context,
> or if the issue is something different...
>
> So say I have some method (that is itself declared as public) that 
> returns
> something like this:
>
> [<APStory instance at aaa08b0>, <APStory instance at b2c7168>, <APStory
> instance at b442a28>, <APStory instance at b1e9a60>, <APStory instance 
> at
> a8fa7a8>, <APStory instance at a406a28>, <APStory instance at a676f48>]
>
> ...without any problems (for example, I can traverse via URL to get 
> this),
> where each APStory object is a temporary, in-memory list that is just 
> the
> return value of my function.  However, whenever I try to access any of 
> these
> objects within the list from a TTW python script, I get Access denied. 
>  All
> I really want is to be able to access all the methods of each of these
> objects without interference from Zope's security mechanism.
>
> I'm totally baffled on this one (I've been through about 4 cups of 
> coffee
> already on this problem alone).  I'm using Zope 2.6a1 with 
> VerboseSecurity
> installed. Any help or pointers  is greatly appreciated.
>
> Sean