[Zope] Envoking Zope's security manually?

Dieter Maurer dieter at handshake.de
Thu Jan 8 14:21:38 EST 2004


herman geldenhuys wrote at 2004-1-8 17:27 +0200:
>What is the proper way to validate zope's security in an unrestricted 
>script?
>
>...object = make a request object and wrap the root zope object...
>
>result = object.aq_acquire(methodName)
>if not AccessControl.getSecurityManager().validate(object, None, methodName, 
>result):
>    raise Exception('Unauthorised:' + methodName)
>
>I know this should be close to what is should be. But what about an objects 
>properties, and accessing their __str__ and __call__ type methods.

I am almost sure that they are not protected in a special way.
This means: when you can access the object (as checked above)
and the object has an "__str__" or "__call__" method,
then you can use "str(obj)" and "obj(...)" with further
restriction by the security machinery.

Tell me, when you are able to prove me wrong...

-- 
Dieter



More information about the Zope mailing list