[Zope-dev] Re: Zope 2 security and SimpleItem

[Florent Guillaume]

Florent Guillaume wrote:
> I'm in the process of refactoring OFS to use new-style security  
> declarations (about time ;)), and I stumbled on something which may  or 
> may not be a bug, I don't know, I'd like some else's opinion:
> 
> The class SimpleItem has the definition (it's been there since the  
> begining of time when SimpleItem was created):
>     __ac_permissions__=(('View', ()),)
> The unusual thing here is () instead of ('',).

Hm I now realize that this may be there just to define the View 
permission as available but that's all. But there's still a discrepancy 
in the way SecurityInfo treats it.

Anyway I'm further in understanding securiy in Z2 than I've ever been :)

Florent


> I think the intent here is that it be the object level protection,  
> equivalent to the modern declareObjectProtected('View').
> Indeed, if the SimpleItem class had a
>   security = ClassSecurityInfo()
> (even by itself without further security declaration), then  
> AccessControl/SecurityInfo, which has the code
>         # Empty names list sets access to the class itself, named ''
>         if not len(names):
>             names = ('',)
> would actually turn the () into a ('',) and the rest of the end of  the 
> security setup, in App/class_init.py, would set  SimpleItem.__roles__ = 
> PermissionRole('View') and that would be it.
> 
> However SimpleItem does *not* have this ClassSecurityInfo, which  means 
> that the code above is not called, and the final logic in  class_init.py 
> does not turn an empty tuple into "protect the object".
> 
> It means that SimpleItem does not have an object level protection of  
> View (but the default which is that only Manager has access), which  is 
> probably as well but not clear from the code.
> 
> What do you think I should do?
> - fix to use View?
> - fix to use nothing?
> 
> Florent
> 


-- 
Florent Guillaume, Nuxeo (Paris, France)   Director of R&D
+33 1 40 33 71 59   http://nuxeo.com   fg at nuxeo.com