[Zope-dev] strange priv leak
Dieter Maurer
dieter@handshake.de
Tue, 20 May 2003 19:50:40 +0200
Shane Hathaway wrote at 2003-5-19 15:54 -0400:
> ...
> We can't, unless we overhaul the security policy. Declarations for
> built-in types get ignored. This is because the security policy depends
> on being able to find a __roles__ attribute on the thing accessed.
> Instances of built-in types do not allow extra attributes (nor should
> they.) So, for example, declarePrivate('some_string_attribute') has no
> effect, nor did it ever have any effect.
I do not think so (at least when I understand the code correctly).
When the object does not have a "__roles__" attribute,
its container is checked.
Place the security declaration there (e.g. coded in the
form "<attribute>__roles__") for objects that can not
carry it themselves.
Dieter