[Zope] Zope product security question

sean.upton@uniontrib.com sean.upton@uniontrib.com
Tue, 11 Mar 2003 10:52:36 -0800 

This is a good question, and I do not know if this is the case, but I have
seen behavior with __allow_access_to_uprotected_subobjects__ that would
suggest that it might be (i.e. it didn't work, and out of frustration, I had
to go about doing security declarations for my helper objects another, more
complicated, way).

This is one place that Zope really makes it difficult to use Python code not
initially written with Zope in mind.

Sean

-----Original Message-----
From: Michael R. Schwab
[mailto:Michael.Schwab-mail.zope.org@icantbelieveididthat.com]
Sent: Tuesday, March 11, 2003 8:49 AM
To: zope@zope.org
Subject: Re: [Zope] Zope product security question


Paul Winkler wrote:
> On Mon, Mar 10, 2003 at 03:33:18PM -0600, Michael R. Schwab wrote:

(snip)

>>The second method seems to be the newest and most logical approach.
>>The being exception that the default security access to 'deny' does
>>not permit me to access attributes from my class that are basic Python
>>types such as strings (e.g. meta_type from a DTML Method).  I could
>>declare the default security access to 'allow', but that seems
>>inherently dangerous from a security standpoint.
> 
> I think what you're looking for is
> __allow_access_to_unprotected_subobjects__ = 1

Having dug a little further into the bowels of Zope, I don't believe 
that this will work, even if I had wanted to use it.

Setting __allow_access_to_unprotected_subobjects__ to 1 would be 
overridden by Globals.InitializeClass.

In Globals.InitializeClass, there is a check to determine what the 
default access policy is set to ('allow' or 'deny' via the 
security.setDefaultAccess() call).  If the default access has been set, 
__allow_access_to_unprotected_subobjects__ is assigned the value of 
default access ('deny' == 0 and 'allow' == 1).

Am I off the mark here?

> or, just make declarations on specific attributes:
> 
> security.declarePublic('meta_type')
> self.meta_type = "blah"

Thanks,
Michael


_______________________________________________
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )