[Zope-dev] Re: Bad interaction between Zope 2.7.3 and CMF 1.4
Dieter Maurer
dieter at handshake.de
Sun Oct 10 17:09:06 EDT 2004
Tres Seaver wrote at 2004-10-9 12:04 -0400:
>Stefan H. Holek wrote:
>> While testing a large-ish customer project under Zope 2.7.3 we found that
>> when an object with setDefaultAccess('deny') is used as the context for
>> a PythonScript, the script can no longer aquire tools from the portal
>> root.
>
>*By definition*, anybody who has declared 'setDefaultAccess('deny')
>*wants* the behavior you describe: that declaration says, "unless I
>give you explicit permission for using a name, refuse."
I do *NOT* think that this is the intended semantics of
"setDefaultAccess('deny')".
In my view, "setDefaultAccess(XXX)" should only affect objects
that do not have security declarations themselves.
Acquired tools have security declarations -- they should not be
affected by "setDefaultAccess".
>If Plone has classes which make such assertions, then either the authors
>*meant* them, or they need to be removed. This is (literally) the same
>thing as declaring '__allow_access_to_unprotected_subobjects__ = 0' in
>your class.
With this name, it becomes even clearer:
Acquires tools are neither "unprotected" nor "subobjects".
--
Dieter
More information about the Zope-Dev
mailing list