[Zope-dev] Re: 2.7.3 beta attribute permission problems
Tres Seaver
tseaver at zope.com
Tue Oct 19 16:39:09 EDT 2004
Dieter Maurer wrote:
> Santi Camps wrote at 2004-10-19 15:05 +0200:
>
>>...
>>Error Type: Unauthorized*
>>*Error Value: The container has no security assertions. Access to
>>'get_sum_of_values' of (Adapter instance at 40ae6ac0) denied.*
>
>
> This tells you that the container containing "get_sum_of_values"
> does not have security assertions. Is this wrong?
The container (the class Test.Test in Santi'a product) does have
security assertions for *itself*:
class Test(OrderedFolder):
"""
Test
"""
meta_type = 'AccessControl Test'
security = ClassSecurityInfo()
security.declareObjectProtected('View')
However it makes no assertion for the attribute 'get_sum_of_values':
############################################################
def get_sum_of_values(self):
"""
"""
return self.value1 + self.value2
AFAICT, the new behavior is perfectly correct here: absent either an
explicit permisison declaration for 'get_sum_of_values', or a "blanket
grant" for unprotected subobjects (e.g, 'security.setDefaultAccess(1)'),
the template which fails *should* fail; the fact that it used to
succeed was merely a security hole.
Tres.
--
===============================================================
Tres Seaver tseaver at zope.com
Zope Corporation "Zope Dealers" http://www.zope.com
More information about the Zope-Dev
mailing list