[Zope-dev] security.declareProtected doesn't always work?

John Ziniti jziniti@speakeasy.org
Fri, 04 Jan 2002 15:46:36 -0500


> The basic security mechanism uses the attribute "m__roles__" in order
> to protect "m". If this attribute it "None", then "m" is public.
> Otherwise, it is expected to be a sequence of roles that are allowed
> to use "m".
> 
> But, "ExtensionsClass" brings with it computed attributes. This allows
> "m__roles__" to be not a sequence but a method returning a sequence.
> When you protect "m" with a permission "p", then
> "m__roles__" is set to "PermissionRole(p)". This instance dynamically
> evaluates into a sequence of roles by crawling up the "aq_container"
> (which is correctly "aq_parent" after "aq_inner") chain and translating
> "p" into roles by interpreting the "permission-to-role" mapping
> it finds on its way to the application object.
> 
> Therefore, "declarePublic" works for non-wrapped instances while
> "declareProtected" requires the wrapping.
> 
> 
> Dieter


Very well put, Dieter -- both as an explanation of the problem
at hand, as well as a general description of one of the more
esoteric regions of Zope.  I think it belongs in a document
somewhere.  Thanks.  I knew I read these email lists for a
reason.

Ziniti