[zope2-tracker] [Bug 580912] [NEW] Storing method instance of user written class in list confuses Zope access control system.

Tres Seaver tseaver at palladion.com
Sat May 15 13:53:02 EDT 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tony Middleton wrote:
> Public bug reported:
> 
> After moving from Zope 2.10 to 2.12 some existing Python code which
> accesses self written packages failed.  I have created a small test
> module to show the problem.
> 
> Here is Products/testp/testm.py
> 
> class testc:
>   def __init__(self,testval):
>     self.testval = testval
>   def testv(self):
>     return self.testval

The fact that access to 'testv' worked in any Zope2 version was the bug:
 your class doesn't abide by the Zope2 security policy, which requires
that methods of classes be explicitly protected with a permission, or
else that the class has an '__allow_access_to_unprotected_subobjects__'
which enables access.  Your grants allow access to the module and the
class, but not to methods or attributes of the class.  See:

 http://docs.zope.org/zope2/zdgbook/Security.html

Please try adding the "magic" attribute at class scope, e.g.::

  class testc:
      __allow_access_to_unprotected_subobjects__ = 1
      ...

or else set up explicit security on your class, and initialize the
class::

  from AccessControl.SecurityInfo import ClassSecurityInfo
  from App.class_init import InitializeClass

  class testc:
      security = ClassSecurityInfo()
      ...
      security.declarePublic('testv')
      def testv(self):
          ...

  InitializeClass(testc)

If that fixes the issue, then we can re-categorize this as a misfeature
of Zope 2.10.

  status incomplete


Tres.
- --
===================================================================
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkvu334ACgkQ+gerLs4ltQ6BRQCgq6320sot9WP8z2NDi/5im7py
OekAoIIZE4npLZ8OMQ4MILg8084/cPI6
=bVy6
-----END PGP SIGNATURE-----

-- 
Storing method instance of user written class in list confuses Zope access control system.
https://bugs.launchpad.net/bugs/580912
You received this bug notification because you are a member of Zope 2
Developers, which is subscribed to Zope 2.

More information about the zope2-tracker mailing list