[Zope-dev] Re: Security audit introduced problem in
PageTemplates/Expression.py
Jim Fulton
jim at zope.com
Thu Jan 15 13:26:26 EST 2004
Tres Seaver wrote:
> Jim Fulton wrote:
>
>> Tres Seaver wrote:
>>
>>> I will let Jim comment on your use case.
>>
>>
>>
>> What use case? I missed it. Where is it?
>
>
> Here is Stuart's original post:
>
>> This has the side effect of not passing the name attribute to
>> my security assertion methods registered via
>> ClassSecurityInfo.setDefaultAccess:
>>
>> class Foo(blah, blah, blah):
>> security = ClassSecurityInfo()
>> def _checkAccess(self, name, value):
>> if name.startswith('CG'):
>> return 1
>> return 0
>> security.setDefaultAccess(_checkAccess)
>>
>> def __getitem__(self, key):
>> ''' Access via dictionary interface, with security
>> provided via _checkAccess
>> '''
>> return 'example'
>
>
> The old code allowed this example to work, because it passed 'name' when
> validating __getitem__ access.
OK, I can see that the code was using this. I still don't understand what
the use case is. :)
I'm saying YAGNI to controlling access to mapping items based on keys.
I'd like to hear a convincing argument for why we need to support this.
Saying that the old implementation did it that way is not convincing
to me. In fact, I'm pretty sure that I can point to old implementation that
didn't pass the name for item access.
Jim
--
Jim Fulton mailto:jim at zope.com Python Powered!
CTO (540) 361-1714 http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org
More information about the Zope-Dev
mailing list