[Zope] Re: DiskBased products and security

Haim Ashkenazi haim at babysnakes.org
Mon Jun 13 19:09:46 EDT 2005 

On Mon, 13 Jun 2005 21:07:56 +0300, Haim Ashkenazi wrote:

> On Mon, 13 Jun 2005 19:13:14 +0200, Dieter Maurer wrote:
> 
>> Haim Ashkenazi wrote at 2005-6-13 15:43 +0300:
>>> ...
>>>1. __roles__ = () - I didn't understand exactly why but with this
>>>statement I can't access the product either from the ZMI or directly from
>>>the web.
>> 
>> This is a (deprecated) alternative for "security.declareObjectPrivate()".
>> 
>>>2. security.setDefaultAccess("deny") - I think I understand why we changed
>>>that, but it's causing a lot of problems. If I add 'delareProtected' for
>>>all my methods, I can access certain pages , but with some pages (maybe
>>>ones that's calling methods form base classes or acquisition like
>>>'title_or_id') I still get errors ("Unauthorized: You are not allowed to
>>>access 'title_or_id' in this context"). trying to solve this I started
>>>adding 'declareProtected' for every method I got error for. I gave up
>>>after 3 methods, but it seem to help.
>> 
>> Yes, many methods of "OFS.SimpleItem.SimpleItem" and its base
>> classes rely on its "setDefaultAccess('allow')".
>> 
>> If you change this to "deny", you have to provide the
>> explicit security declarations.
>> 
>>>so, I was wondering if something was changed in the security model since
>>>2.5 (the version that the book is about) until 2.7, and is there a place
>>>where it's documented (the zope developer guide is versioned 2.4)?
>> 
>> "setDefaultAccess('deny')" had a bug in some earlier Zope versions.
>> With the exception of this fix, nothing changed here for a long
>> time. You can still use the Zope Developper Guide...
>> 
>>>also, If I'll make sure that every method I have in my module is also
>>>declared as protected, or public, is there a problem with living the
>>>default access as any?
>> 
>> As what?
> sorry, I was unclear there :)
> 
> what I meant is if I won't leave any method undeclaired (security wise) in
> my class, will it be a security risc to leave the default access
> (setDefaultAccess('any'))? can I protect uncallable objects (like
> variables) the same way?
that was just me being stupid :)
If I want to protect a variable, I can just give it a name starting with
"_somename"...

Bye

> 
> 
>> The "default access" also controls access to attributes of simple type
>> (strings, tuples, dicts, ...) which cannot have their own security
>> declarations.
>> 
>> If you do not access such attributes directly and you provide security
>> declarations for all methods you use, then you can keep "defaultAccess
>> == 'deny'".
> thanx a lot for a very informative answer.
> 
> Bye

-- 
Haim

More information about the Zope mailing list