[Zope-dev] Re: _setName issue (was declarePrivate doesn't)
Shane Hathaway
shane@zope.com
Fri, 07 Sep 2001 10:07:16 -0400
Chris Withers wrote:
>I remember you raising the issue requiring _setName, so I geuss you're the man
>to ask when it doesn't work ;-)
>
>>From the SQL class in SQL.py:
>
> manage=manage_main=DTMLFile('dtml/edit', globals())
> manage_main._setName('manage_main')
>
> __ac_permissions__=(
> ('Change Database Methods', ('manage', 'manage_main')),
> )
>
>Now, I subclass this to make my FS ZSQL Method and haev the following in the
>subclass:
>
> # Make mutators private
> security.declarePrivate('manage','manage_edit','manage_advanced')
>
> security.declareObjectProtected(View)
>
> security.declareProtected(ViewManagementScreens, 'manage_main')
> manage_main = Globals.DTMLFile('custzsql', _dtmldir)
>
>So, manage_edit and manage_advanced have indeed become private..
>
>..but '/manage' still brings me up the edit form on my FS ZSQL Method.
>
>Why? I wondered...
>
>Well, in SQL.py, there's a _setName to make manage use the manage_main name,
>which in my subclass is protected by ViewManagementScreens. So, this seems to
>take precendence over the declarePrivate.
>
>That feels like a bug to me, what do otehr people think?
>
It's ugly, but it's working correctly. When
ZopeSecurityPolicy.validate() checks whether you can access the
attribute you retrieved by the name "manage", it finds an attribute
whose name is supposed to be "manage_main". So it checks whether you
can access the name manage_main, and you can. Sometime we should look
into whether we can change this odd behavior without breaking stuff.
I suggest there's no reason to use the name manage_main for your
"custzsql" method. Call it "manage_customize" or something similar
instead, then make sure manage_options lists manage_customize first.
Declaring the name "manage" to be private actually has no effect, but
declaring manage_main to be private would.
Shane