[Zope-dev] Re: security problem in an monkey-patch
Joachim Schmitz
js at aixtraware.de
Wed Sep 19 11:30:17 EDT 2007
Tres Seaver schrieb:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>> security.declareProtected(view_management_screens, 'getBypassQueue')
>> def getBypassQueue(self):
>> "get _by_pass"
>> if not hasattr(self,"_bypass"):
>> self._bypass = False
>> return self._bypass
>
> I would write this as:
>
> return getattr(self, '_bypass', False)
>
> avoiding both write-on-read and hasattr in one fell swoop.
thanks for the tip.
>
>> <input type="checkbox" name="enable_bypass"
>> tal:attributes="checked
>> here/portal_catalog/getBypassQueue" />
>>
>> I get:
>> Unauthorized: The container has no security assertions. Access to
>> 'getBypassQueue' of (QueueCatalog at /uniben/portal_catalog) denied.
>>
>> What I am missing here.
>
> You need to supply security assertions for the new method you have adeed
> to the class (your security assertions are being "left behind" in the
> context where you defined the function).. Likely you can add another
> attribute to the class, 'getBypassQueue__roles__', with the value being
> a tuple, ('Manager',) (unless you want to figure out how to create a
> PermissionRoles object yourself).
I solved it with:
QueueCatalog.getBypassQueue__roles__ = ['Manager', 'Owner',]
thanks for the help.
--
Gruß Joachim
More information about the Zope-Dev
mailing list