[Zope-CMF] [dev] wrapping users - a proposal

yuppie y.2011 at wcm-solutions.de
Tue Feb 22 12:06:07 EST 2011


Hi!


Charlie Clark wrote:
> Am 22.02.2011, 11:46 Uhr, schrieb yuppie<y.2011 at wcm-solutions.de>:
>> 2.) direct MemberData property access
>> -------------------------------------
>> Wrapped users are now MemberAdapter objects. So wrapped users no longer
>> have attributes like 'email' or 'listed'. This is a security improvement
>> because you can't bypass the API with its permission checks.
>> But 'member.email' is more convenient than 'member.getProperty('email')'
>> and used in many places. I fixed these in CMF itself, it I'm afraid that
>> change will break a lot of third party code.
>> I propose to add read-only properties that return the values in a modern
>> format (datetime instead of DateTime, unicode instead of encoded
>> strings).
>
>> Question:
>> Should we support a fixed schema with the default member data properties
>> or should we use a customized __getattr__ method?
>
> If the access is always via the adapter then I would prefer a customised
> __getattr__

I'm still not sure how to resolve this.

MemberAdapter objects are used in untrusted code and it might be 
complicated to set permissions correctly for __getattr__ access. (At 
least I never tried that.)

It also would be nice to have a well defined interface for default 
member properties.

So I tend to a fixed schema. People still can add custom properties, but 
they would have to use getProperty or override MemberAdapter.


Cheers,

	Yuppie


More information about the Zope-CMF mailing list