[Zope-dev] Zope 2 security and SimpleItem
Florent Guillaume
fg at nuxeo.com
Sat Nov 19 21:14:06 EST 2005
I'm in the process of refactoring OFS to use new-style security
declarations (about time ;)), and I stumbled on something which may
or may not be a bug, I don't know, I'd like some else's opinion:
The class SimpleItem has the definition (it's been there since the
begining of time when SimpleItem was created):
__ac_permissions__=(('View', ()),)
The unusual thing here is () instead of ('',).
I think the intent here is that it be the object level protection,
equivalent to the modern declareObjectProtected('View').
Indeed, if the SimpleItem class had a
security = ClassSecurityInfo()
(even by itself without further security declaration), then
AccessControl/SecurityInfo, which has the code
# Empty names list sets access to the class itself, named ''
if not len(names):
names = ('',)
would actually turn the () into a ('',) and the rest of the end of
the security setup, in App/class_init.py, would set
SimpleItem.__roles__ = PermissionRole('View') and that would be it.
However SimpleItem does *not* have this ClassSecurityInfo, which
means that the code above is not called, and the final logic in
class_init.py does not turn an empty tuple into "protect the object".
It means that SimpleItem does not have an object level protection of
View (but the default which is that only Manager has access), which
is probably as well but not clear from the code.
What do you think I should do?
- fix to use View?
- fix to use nothing?
Florent
--
Florent Guillaume, Nuxeo (Paris, France) Director of R&D
+33 1 40 33 71 59 http://nuxeo.com fg at nuxeo.com
More information about the Zope-Dev
mailing list