[Zope-dev] Re: 2.7.3 beta attribute permission problems

Tres Seaver tseaver at zope.com
Tue Oct 19 16:39:09 EDT 2004


Dieter Maurer wrote:
> Santi Camps wrote at 2004-10-19 15:05 +0200:
> 
>>...
>>Error Type: Unauthorized*
>>*Error Value: The container has no security assertions. Access to 
>>'get_sum_of_values' of (Adapter instance at 40ae6ac0) denied.*
> 
> 
> This tells you that the container containing "get_sum_of_values"
> does not have security assertions. Is this wrong?

The container (the class Test.Test in Santi'a product) does have 
security assertions for *itself*:

class Test(OrderedFolder):
     """
     Test
     """

     meta_type       = 'AccessControl Test'

     security = ClassSecurityInfo()
     security.declareObjectProtected('View')

However it makes no assertion for the attribute 'get_sum_of_values':

     ############################################################
     def get_sum_of_values(self):
     	"""
	"""
	return self.value1 + self.value2

AFAICT, the new behavior is perfectly correct here:  absent either an 
explicit permisison declaration for 'get_sum_of_values', or a "blanket 
grant" for unprotected subobjects (e.g, 'security.setDefaultAccess(1)'), 
the template which fails *should* fail;  the fact that it used to 
succeed was merely a security hole.

Tres.
-- 
===============================================================
Tres Seaver                                tseaver at zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com



More information about the Zope-Dev mailing list