[Zope] Re: Python Classes and Zope.
Paul Winkler
pw_lists at slinkp.com
Sat Dec 3 11:07:14 EST 2005
On Fri, Dec 02, 2005 at 11:57:16PM +0100, Florent Guillaume wrote:
> Paul Winkler wrote:
(snip)
> >Well, the thing is, the declaration that makes the method public
> >*has no effect* unless your class participates in acquisition.
>
> That's not true. The objects of this class will be perfectly accessible
> to a restricted user:
>
> from AccessControl import ClassSecurityInfo
> class MyStuff(object):
> security = ClassSecurityInfo()
> security.declareObjectPublic()
> security.setDefaultAccess('allow')
> def foo(self):
> return 'bar'
> InitializeClass(MyStuff)
>
> Which also can be written more shorly an less invasively:
>
> class MyStuff(object):
> def foo(self):
> return 'bar'
> from AccessControl import allow_class
> allow_class(MyStuff)
So it is. Thanks for the clarification.
What confused me is that the following *does* need
the inheritance from Acquisition:
from Acquisition import Implicit
class Foo3(Implicit):
security = ClassSecurityInfo()
security.declarePublic('bar')
def bar(self):
return "hello from foo3"
InitializeClass(Foo3)
In this case, if you remove the (Implicit),
you get AccessDenied because "The container has no security assertions".
I mistakenly assumed that the same was necessary when using
allow_class. Thanks for clearing that up.
> > Oh, and the instance needs to be given an acquisition context, too.
> > e.g. foo = foo.__of__.some_parent
>
> It's only if you want to protect a method with a specific permission
> that's not public or private that you'll have to provide acquisition
> context so that Zope can find out what roles have this permission and
> match them against the current user's roles:
Apparently you're right about this too :-)
I never knew that. Thanks.
--
Paul Winkler
http://www.slinkp.com
More information about the Zope
mailing list