[Zope] Zope product security question

Michael R. Schwab Michael.Schwab-mail.zope.org@icantbelieveididthat.com
Mon, 10 Mar 2003 16:00:14 -0600


Paul Winkler wrote:
> On Mon, Mar 10, 2003 at 03:33:18PM -0600, Michael R. Schwab wrote:
> 
>>I've noted two different methods for declaring security in a class.
> 
> (snip)
> 
>>The second method, which I believe to be the most recent,
> 
> 
> that's correct.
> 
>>The second method seems to be the newest and most logical approach.
>>The being exception that the default security access to 'deny' does
>>not permit me to access attributes from my class that are basic Python
>>types such as strings (e.g. meta_type from a DTML Method).  I could
>>declare the default security access to 'allow', but that seems
>>inherently dangerous from a security standpoint.
> 
> I think what you're looking for is
> __allow_access_to_unprotected_subobjects__ = 1

Hmmm...  Not quite what I'm looking for.  If my class contains mutable 
attributes such as a list, this could cause a potential security risk.

> or, just make declarations on specific attributes:
> 
> security.declarePublic('meta_type')
> self.meta_type = "blah"

I have attempted this previously.  Since 'meta_type' is a Python string 
and not a method, security.declarePublic('meta_type') does not set 
'meta_type' to be public.

It results in:

Error Type: Unauthorized
Error Value: You are not allowed to access meta_type in this context
--
Michael R. Schwab