[Zope] NUXUserGroups Zope security
Sion Morris
s.morris@bangor.ac.uk
Sun, 14 Jul 2002 13:32:29 +0100
On Sunday, July 14, 2002, at 11:32 am, Chris Withers wrote:
> Sion Morris wrote:
>>
>> So to access any methods of objects from a python script or DTML I have
>> to create an external method? Is this right.
>
> Yes, unless those methods have been specifically designed to be used
> from Python
> Scripts.
>
>> Would some kind soul
>> explain why this is the case or if I'm doing it incorrectly or I missed
>> something.
>
> It's for security reasons. If you have a look in standard.py of the
> PythonScripts product, you can see how to make security assertions about
> modules, classes and their methods.
>
>> I have read the security.declareProtected stuff on ZDG and noticed that
>> getUsers has
>> security.declareProtected(ManageUsers, 'getUsers'). The python script
>> above has a proxy role of manager which has permission to 'Manage
>> users'.
>
> Hmmm... that is odd. Are you sure that's the getUsers you're executing?
> If it is, then maybe there's a bug lurking here?
It may be that I'm accessing the wrong method. This is what I've done to
check (hope not to show my complete ineptness):
In a python script:
group=context.acl_users.getGroupById('OMT') #where 'OMT' is the name of
the group.
return group
Executing the script return an error as expected, but with "Resource:
Group instance at 8e8ae18"
So a 'Group' object is returned. The class 'Group' from
UserFolderWithGroups.py (NuxUserGroups) has a method
security.declareProtected(ManageUsers, 'getUsers')
def getUsers(self):
"""Group users"""
return tuple(self.users)
This is what I'm attempting to use here:
group=context.acl_users.getGroupById('OMT') #where 'OMT' is the name of
the group.
users = group.getUsers()
return users
except an error is raised: "Error Value: You are not allowed to access
getUsers in this context"!
>
> cheers,
>
> Chris
>
I can use an external method to access these methods but it feels like
needless duplication.
Many thanks,
Sion