[Zope-dev] Re: hack for refused authorization with virtual dataskin

Phillip J. Eby pje@telecommunity.com
Mon, 23 Apr 2001 15:55:03 -0400


At 01:37 PM 4/23/01 +0200, Godefroid Chapelle wrote:
>Hello,
>
>
>After rereading the ZopeSecurityPolicy source code, I tried the
>following hack.
>
>I add in the skinscript :
>
>WITH 1 COMPUTE __allow_access_to_unprotected_subobjects__=RESULT
>
>which does work : it fools the security mechanism.
>
>I can live with it but feel that there is only a slight problem which
>could allow me to avoid the hack.
>
>I hope this can hint some of you to help me to understand what is badly
>settled in my installation.

It sounds to me like you need to be using the getId() method instead of the 
.id attribute.  I think that the id attribute is being phased out in favor 
of getId().

I'm somewhat reluctant to enable access to unprotected subobjects in the 
DataSkin base class; it seems a little too broad of an access level.  The 
other alternative would be to allow SkinScript expressions free rein as 
regards security - but that's too broad also.  The optimum would be to 
allow SkinScript expressions full access to the targeted DataSkin's direct 
attributes, but normal (validated) access to everything else, but I'm not 
sure how to do this safely.

This is an example of why I consider ZPatterns a hack - too many places 
where it depends on Zope innards like this.