[Zope] Re: Python Classes and Zope.

Florent Guillaume fg at nuxeo.com
Fri Dec 2 17:57:16 EST 2005 

Paul Winkler wrote:
> On Fri, Dec 02, 2005 at 04:12:01PM +0100, Jean-Marc Orliaguet wrote:
> 
>>does zope2 do an access control based on acquisition for public methods, 
>>that would be a waste of resources since the answer is always "yes, 
>>granted" ?
> 
> 
> Well, the thing is, the declaration that makes the method public
> *has no effect* unless your class participates in acquisition.

That's not true. The objects of this class will be perfectly accessible 
to a restricted user:

   from AccessControl import ClassSecurityInfo
   class MyStuff(object):
       security = ClassSecurityInfo()
       security.declareObjectPublic()
       security.setDefaultAccess('allow')
       def foo(self):
           return 'bar'
   InitializeClass(MyStuff)

Which also can be written more shorly an less invasively:

   class MyStuff(object):
       def foo(self):
           return 'bar'
   from AccessControl import allow_class
   allow_class(MyStuff)

allow_class does the same thing as declareObjectPublic + 
setDefaultAccess('allow')

For instance you could have in you this same code:

   from AccessControl import ModuleSecurityInfo
   ModuleSecurityInfo('Products.ThisProduct.ThisFile'
     ).declarePublic('getStuff')
   def getStuff():
     return MyStuff()

And in restricted code you can then do:

   from Products.ThisProduct.ThisFile import getStuff
   ob = getStuff()
   v = ob.foo()

 >
 > Oh, and the instance needs to be given an acquisition context, too.
 > e.g.  foo = foo.__of__.some_parent
 >


It's only if you want to protect a method with a specific permission 
that's not public or private that you'll have to provide acquisition 
context so that Zope can find out what roles have this permission and 
match them against the current user's roles:

   class MyStuff(Acquisition.Implicit):
       security = ClassSecurityInfo()
       security.declareObjectPublic()
       security.setDefaultAccess('allow')
       def foo(self):
           return 'bar'
       security.declareProtected('View')
       def viewit(self):
           return 'yo mama'
   InitializeClass(MyStuff)
   ...
   def getStuff(context):
     return MyStuff().__of__(context)

Then in restricted code you'll be able to do:

   ...
   ob = getStuff(context)
   v = ob.viewit()

Florent

-- 
Florent Guillaume, Nuxeo (Paris, France)   Director of R&D
+33 1 40 33 71 59   http://nuxeo.com   fg at nuxeo.com

More information about the Zope mailing list