[Zope] Zope product security question
Michael R. Schwab
Michael.Schwab-mail.zope.org@icantbelieveididthat.com
Thu, 13 Mar 2003 10:24:27 -0600
Chris Withers wrote:
> Michael R. Schwab wrote:
>
>> The issue that I'm facing seems to be Zope's security model. The
>> ZDG's security guide has even specified that object properties that
>> are basic Python types cannot have their permissions set via the usual
>> security.declarePublic() call (this includes 'id', 'meta_type', 'title').
>
> This is true.
>
> Yoru options are:
>
> 1. setDefaultAccess('deny') and then provide setter and accessor methdos
> for the attributes in question.
>
> 2. I believe setDefaultAccess can be passed a list or function that
> determines whether an attribute is accessible. You'd have to do some
> research on this.
Ok, to implement via option #2:
Set the following security declarations:
__roles__ = ()
security = ClassSecurityInfo()
security.setDefaultAccess( {'id':1,
'meta_type':1,
'title':1} )
This allows public access to the 'id', 'meta_type', and 'title', but
disallows access to all other properties such as 'ctime'.
Alternatively, you can also specify an inaccessible property with
'ctime':0 in the security.setDefaultAccess() call.
Its a bit of a hoop jumping lesson, but it works. Thanks Chris!
>> I don't want to specify security.setDefaultAccess( 'allow' ) as this
>> would allow access to mutable types within my product from scripts and
>> defeats the purpose of setting a strict default security policy.
>
>
> Be careful. OFS.SimpleItem.SimpleItem does this anyway, so you'll have
> to ensure you specifically set the policy in your product.
>
> cheers,
>
> Chris