[Zope] RE: Security Assertions, maybe time to change SimpleItem?!

Pierce, Scott Scott.Pierce@Sonopress.com
Tue, 21 May 2002 09:12:03 -0400


Exactly, the fact that I could still access them is what caused me to
abandon the feature  4 weeks ago not realizing the other effect.  Trust me,
I have likely read that element of the ZDG 5 times if not more.  Although I
believe in RTFM, with something as esoteric as Zope you gotta lighten up.
Zope needs a mentoring program.  The docs just aren't there yet.  It
honestly was not my intention to threaten anything.  I was simply scared
that I was going to have to jump ship with only a week and a half to go.

Hmmm... my class was explicitly inheriting SimpleItem.SimpleItem so I
wouldn't have to bother with the order in which I inherited.  Another Zope
lesson learned.  Unfortunately, I only have some much cranial capacity to
spare.  I'm afraid I am going to have to drop a few birthdays and an
anniversary to make room.

Scott

-----Original Message-----
From: Chris Withers [mailto:chrisw@nipltd.com]
Sent: Tuesday, May 21, 2002 8:02 AM
To: Pierce, Scott
Cc: 'zope@zope.org'
Subject: Security Assertions, maybe time to change SimpleItem?!


"Pierce, Scott" wrote:
> 
> OK, I'll publicly humilate myself now.  

Not entirely, other than not really reading the bit about security in the
ZDG ;-)

> my own oversight.  I incorrectly believed that having turned off
permission
> acquisition and limiting 'View' access to a few select roles would be
> sufficient regarding DTMLFiles.  

I assume you're developing a Python Product here? 

The answer is that it probably should, but you got caught out by a peice of
history.
It is documented that if you make no security assertions about a method in a
python
product that nothing will be able to access them, which is what you should
have been
experiencing, and which would have told you much more quickly that you had
forgotten to
make any security assertions.

However, this policy was only(?!) introduced back in Zope 2.2 and so, for
fear of breaking
lots of code, a class called SimpleItem has an
__access_unprotected_subobjects__=1
assertion. This basically makes unprotected stuff anonymously viewable,
which was the old
policy.

Sadly, prettymuch everything subclasses SimpleItem, so the documented
security policy
isn't realyl adhered to much, hence when you forgot to make security
assertions, the
methods became anonymously viewable, which, from your poitn of view, sux
ass.

> I believe, and am not completely sure, that
> this is not the case because they are global having been 'instatiated'
via:
> index_html = DTMLFile('index_html', globals()) within a product.

...so this isn't quite correct.

> frustration/desperation as inappropriate.  Zope can be a dark mistress.

...some would say a complete bitch ;-)

Maybe it's time to change that assertion in SimpleItem and finally break all
the code that
peopel should have fixed long ago?

cheers,

Chris