[Zope] Re: [Search] Documentation for "__guarded_*__"
Evan Simpson
evan@4-am.com
Thu, 22 Aug 2002 18:24:18 -0500
Dieter Maurer wrote:
> I am searching documentation for "__guarded_getattr__", "__guarded_setattr__"
> and friends.
I'm pretty sure that there are no "__guarded_get..." methods. The point
of the "__guarded_set..." and "__guarded_del..." methods is to tell the
security machinery that a class knows about write security (even though
it may ignore it), so go ahead and allow the write by calling the handler.
This is necessary because normal Zope security is access-oriented.
Write operations are usually protected by disallowing all direct
manipulation of attributes and subitems, and controlling access to
methods that perform writes.
This is why you could do "x = [1,2]; x.pop()" but not "x = [1,2]; del
x[1]" in the old Python Methods; __delitem__ was forbidden, but access
to pop() was allowed.
> Is the following definition correct
> when I want the dynamic attributes (defined by "__getattr__")
> to be protected in the same way normal attributes are:
You shouldn't need to do anything special to protect attribute access,
unless there's a bad side effect. Normally, secured code fetches the
value and then calls validate() on the container, name, value, etc. It
makes no difference that your attributes are dynamic, you'll get the
same protection.
Cheers,
Evan @ 4-am