[Zope] Product security and OFS.CopySupport
Michael R. Schwab
Michael.Schwab-mail.zope.org at icantbelieveididthat.com
Tue Oct 26 21:34:51 EDT 2004
<quote who="Peter Bengtsson">
> Have you registered the class in your __init__.py file?
> That stuff about restrictedTraverse() is over my head by usually
> copy/paste problems can arise due to unregistered classes.
Yes. My __init__.py is registering my class:
import CustomFolder
from AccessControl import Permissions
def initialize(context):
try:
context.registerClass(
CustomFolder.CustomFolder,
permission=Permissions.add_folders,
constructors=(CustomFolder.manage_addCustomFolderForm,
CustomFolder.manage_addCustomFolder),
icon = 'www/Folder_icon.gif' )
except:
import sys, traceback, string
type, val, tb = sys.exc_info()
sys.stderr.write( string.join(
traceback.format_exception( type, val, tb ),
'' ) )
del type, val, tb
I've subsequently tried different security declaration combinations:
- setting __roles__ to either None or ()
- calling security.setDefaultAccess( 'deny' ) and
security.setDefaultAccess( {'id':1, 'meta_type':1, 'title':1,
'icon':1, 'title_or_id':1 } )
- explictly declaring security.declareProtected with the
Permissions.view permission on id, meta_type, title, icon,
title_or_id
- explictly declaring security.declareProtected with the
Permissions.copy_or_move permission on manage_copyObjects,
manage_cutObjects, manage_pasteObjects, manage_renameObject, and
manage_renameObjects
The end result is some combination of the following errors:
- unable to browse the CustomFolder's index_html
- unable to access manage_main in the ZMI due to an AttributeError
with a value of 'NoneType' object has no attribute 'setHeader'
- unable to paste and rename an object contained in a CustomFolder
object
There _has_ to be a way to declare a folderish object as protected
default and declare protected access to methods and properties by
role names.
Before you ask, yes I am calling InitializeClass(CustomFolder) to
apply the security permissions to my class.
> On Mon, 25 Oct 2004 18:31:55 -0600 (CST), Michael R. Schwab
> <michael.schwab-mail.zope.org at icantbelieveididthat.com> wrote:
>> Hi,
>>
>> I've encountered problems when adding security declarations to a Zope
>> folderish object product on Zope 2.7.2/Python 2.3.4/RH Linux 9.0.
>>
>> My folderish object 'CustomFolder' (see
>> http://files.englesh.org/CustomFolder.tgz for source) has permissions on
>> its methods. For example, I'm declaring:
>>
>> security.declarePublic('index_html')
>> index_html = PageTemplateFile(
>> os.path.join('zpt', 'default_index_html'),
>> globals())
>>
>> I then initialize the permissions for my object calling:
>>
>> InitializeClass(CustomFolder)
>>
>> When I instantiate a 'CustomFolder', I can add new sub objects. I am,
>> however, unable to paste or rename objects within the 'CustomFolder'
>> instance. I've been able to trace the error to the call to
>> _verifyObjectPaste (line 352) in OFS.CopySupport. It appears that
>> _verifyObjectPaste fails on the call to
>> self.restrictedTraverse(method_name). The comments following the call
>> seem to indicate that an Unauthorized exception is thrown if the factory
>> method by name cannot be obtained.
>>
>> Is there something that I am missing in my security declarations for
>> 'CustomFolder' or is this a bug in OFS.CopySupport or OFS.Traversable?
>>
>> I've goggled on this but the results I have found have not fixed the
>> problem I am seeing.
>>
>> Thanks,
>> Michael
--
Michael R. Schwab
All those who believe in psychokinesis, raise my hand.
More information about the Zope
mailing list