[Zope-dev] Re: hack for refused authorization with virtual dataskin

Godefroid Chapelle gotcha@swing.be
Tue, 24 Apr 2001 08:55:30 +0200 

"Phillip J. Eby" a =E9crit :

>
> It sounds to me like you need to be using the getId() method instead of=
 the
> .id attribute.  I think that the id attribute is being phased out in fa=
vor
> of getId().

I was already told about the getId but the problem goes further than acce=
ss to
the id.
I get the same non authorized message when accessing other attributes com=
puted
by the skinscript.

I do not understand why I have no problem (I mean do not need
access_to_unprotected hack) with standard stored ZClass-dataskin instance=
s but
well with
non stored instances...

I suppose there is something different between the two cases going on dur=
ing
the construction of the instances
but have not been able until now to get the point.
My Python is not fluent enough to allow me to understand the following co=
de of
Rack.py :

_v_itemConstructor =3D ComputedAttribute(lambda s,
v=3DComputedAttribute(_v_itemConstructor): v)

>
>
> I'm somewhat reluctant to enable access to unprotected subobjects in th=
e
> DataSkin base class; it seems a little too broad of an access level.  T=
he
> other alternative would be to allow SkinScript expressions free rein as
> regards security - but that's too broad also.  The optimum would be to
> allow SkinScript expressions full access to the targeted DataSkin's dir=
ect
> attributes, but normal (validated) access to everything else, but I'm n=
ot
> sure how to do this safely.
>
> This is an example of why I consider ZPatterns a hack - too many places
> where it depends on Zope innards like this.

I get your point but I think that something a la ZPatterns should be inte=
grated
in the Zope core
to separate logic and storage especially now that ZPT allow a very clean
separation between logic and presentation.

I would appreciate to know the position of DC about the design objectives=
 of
ZPatterns


--

Godefroid Chapelle

BubbleNet sprl
rue Victor Horta, 30
1348 Louvain-la-Neuve
Belgium

Tel 010 457490
Mob 0477 363942

TVA 467 093 008
RC Niv 49849