[Zope-dev] Re: security problem in an monkey-patch

Joachim Schmitz js at aixtraware.de
Wed Sep 19 11:30:17 EDT 2007


Tres Seaver schrieb:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 

>> security.declareProtected(view_management_screens, 'getBypassQueue')
>> def getBypassQueue(self):
>>      "get _by_pass"
>>      if not hasattr(self,"_bypass"):
>>          self._bypass = False
>>      return self._bypass
> 
> I would write this as:
> 
>    return getattr(self, '_bypass', False)
> 
> avoiding both write-on-read and hasattr in one fell swoop.
thanks for the tip.
> 

>> <input type="checkbox" name="enable_bypass"
>> 	               tal:attributes="checked
>> 		       here/portal_catalog/getBypassQueue" />
>>
>> I get:
>> Unauthorized: The container has no security assertions.  Access to 
>> 'getBypassQueue' of (QueueCatalog at /uniben/portal_catalog) denied.
>>
>> What I am missing here.
> 
> You need to supply security assertions for the new method you have adeed
> to the class (your security assertions are being "left behind" in the
> context where you defined the function)..  Likely you can add another
> attribute to the class, 'getBypassQueue__roles__', with the value being
> a tuple, ('Manager',)  (unless you want to figure out how to create a
> PermissionRoles object yourself).
I solved it with:

QueueCatalog.getBypassQueue__roles__ = ['Manager', 'Owner',]
thanks for the help.

-- 
Gruß Joachim


More information about the Zope-Dev mailing list