[Zope] Security Guru Question

Stefan H. Holek stefan@epy.co.at
Wed, 15 Jan 2003 10:36:19 +0100 

Alan!

I have been developing a user folder that requires the REQUEST to be=20
acquireable at all times. I hit the very same wall wrt local roles screens. =

Issue seems to be that 'user_names' is called on an unwrapped 'acl_users'.

Just like you I figured that it is probably not a good idea to remove the=20
call to 'aq_base'. My solution was to rewrap 'user_names' right before=20
calling it.


--- Role.py     Thu Oct 17 19:14:50 2002
+++ Role.py     Thu Oct 17 19:37:35 2002
@@ -312,6 +312,7 @@
                 if mlu < 0: raise OverflowError
                 un =3D getattr(aclu, 'user_names', _notfound)
                 if un is not _notfound:
+                    un =3D aclu.__of__(item).user_names   # rewrap
                     unl =3D un()
                     # maxlistusers of 0 is list all
                     if len(unl) > mlu and mlu !=3D 0:


HTH,
Stefan



--On Mittwoch, 15. J=E4nner 2003 00:25 -0600 Alan Runyan=20
<runyaga@runyaga.com> wrote:

> Its inside of AccessControl/Role.py in get_valid_userids()
>
> I have a object herirachy like:
>
> Zope Root -> MyApp -> Company -> Business Units
>
> in My App I have a PsycoPG connection object call my_users
> and in all Companies I have a exUserFolder.
>
> now when I goto a Company or Business Unit and try to
> assign/edit/list Local roles it bombs.  Because exUserFolder
> cant find the 'my_users' connection object.  Why?  Well
> I know why..
>
> because when the xxxLocalRoles screens are called they
> call get_valid_userids which at the top says:
> aclu =3D getattr(aq_base(item), 'acl_users', _notfound)
>
> and immediately aclu has all acquisition wrappers peeled off
> of it and now I can not go any further up the heirarchy than
> Company.
>
> I am very tempted in taking the aq_base(item) part off..and
> I believe all will work... But I really need someone who
> understands the implications of this to say whats the best
> way forward.  I was thinking about overriding this method
> in my Company/Business Unit classes with a version that
> doesnt have aq_base().

--
Those who write software only for pay should go hurt some other field.
/Erik Naggum/