[Zope] Security Assertions, maybe time to change SimpleItem?!

Chris Withers chrisw@nipltd.com
Tue, 21 May 2002 13:02:04 +0100


"Pierce, Scott" wrote:
> 
> OK, I'll publicly humilate myself now.  

Not entirely, other than not really reading the bit about security in the ZDG ;-)

> my own oversight.  I incorrectly believed that having turned off permission
> acquisition and limiting 'View' access to a few select roles would be
> sufficient regarding DTMLFiles.  

I assume you're developing a Python Product here? 

The answer is that it probably should, but you got caught out by a peice of history.
It is documented that if you make no security assertions about a method in a python
product that nothing will be able to access them, which is what you should have been
experiencing, and which would have told you much more quickly that you had forgotten to
make any security assertions.

However, this policy was only(?!) introduced back in Zope 2.2 and so, for fear of breaking
lots of code, a class called SimpleItem has an __access_unprotected_subobjects__=1
assertion. This basically makes unprotected stuff anonymously viewable, which was the old
policy.

Sadly, prettymuch everything subclasses SimpleItem, so the documented security policy
isn't realyl adhered to much, hence when you forgot to make security assertions, the
methods became anonymously viewable, which, from your poitn of view, sux ass.

> I believe, and am not completely sure, that
> this is not the case because they are global having been 'instatiated' via:
> index_html = DTMLFile('index_html', globals()) within a product.

...so this isn't quite correct.

> frustration/desperation as inappropriate.  Zope can be a dark mistress.

...some would say a complete bitch ;-)

Maybe it's time to change that assertion in SimpleItem and finally break all the code that
peopel should have fixed long ago?

cheers,

Chris