[Zope-dev] RFClarification: Security on Product Attributes

Jim Fulton jim@digicool.com
Fri, 10 Nov 2000 09:04:46 -0500 

Chris Withers wrote:
> 
> Okay, apologies in advance for picking up a thread that's been dorman
> for so long ;-)
> 
> Jim Fulton wrote:
> >
> > Chris Withers wrote:
> > >
> > >         self.id = id
> > >         self.title = 'Title!'
> > >         self.anInt = 0
> > >         self.aString = 'testing'
> > >
> > None of the
> > values above can have a __roles__ attribute, so they are covered
> > by assertions made in their containers.
> 
> That's what I thought....
> 
> > Note that if you can't adequately control something that
> > can't have __roles__, you can provide an access function
> > (e.g. getAnInt), which you can control
> >
> > > Can I read them? I think the answer is yes for anInt and no for aString.
> >
> > Probably, if you can get at one, you can get at the other.
> 
> That's not my experience.

There's something very odd going on. The issue isn't
stringness or intness but role-less-ness. :)

> If you try and use strings, you get dialog
> boxes popping up. If you use ints, it works fine.

I've never seen this.
 
> So, the problem is how to protect ints when you don't want people to get
> at them... Adding accessors mean you have protected accessors bu there's
> nothing to stop you just going and using the freely available original
> attribute.

Yes there is. Access to attributes is controlled by the roles if their
container.  

You should also be able to create specific unprotected attribute assertions
using the mechanism described in:

  http://www.zope.org/Members/michel/Projects/Interfaces/ZopeSecurityPolicy

I'll admit that I haven't tried this. If you try it soon (like today) and
find it broken, we can fix it for Zope 2.2.3.
 
> Strings; fine, at least they're secure, and when they become proper
> objects in Python 2.0, the problem should go away?

Will Python 2.0 let you assign string attributes?

Jim

--
Jim Fulton           mailto:jim@digicool.com   Python Powered!        
Technical Director   (888) 344-4332            http://www.python.org  
Digital Creations    http://www.digicool.com   http://www.zope.org    

Under US Code Title 47, Sec.227(b)(1)(C), Sec.227(a)(2)(B) This email
address may not be added to any commercial mail list with out my
permission.  Violation of my privacy with advertising or SPAM will
result in a suit for a MINIMUM of $500 damages/incident, $1500 for
repeats.