[Zope] Security Assertions

Chris McDonough chrism@zope.com
Wed, 16 Jan 2002 12:43:08 -0500 

Note that up until Zope 2.5.0b4 there is a bug in the way module 
security assertions are handled that makes it impossible to declare more 
than one assertion without overwriting a previous assertion.  It's not 
really a "security hole", it's just annoying and clearly broken.  I'd 
suggest that you complain about this (or do it yourself) if you think a 
monkeypatch is in order for Zope 2.3/2.4.

Godefroid Chapelle wrote:

>  > Casey Duncan wrote:
>  >
>  > > So the following things don't work:
>  > >
>  > > from Products.Formulator.Form import FormValidationError
>  >
>  > Either Martijn or you need to add the following lines to a Product
>  > __init__.py somewhere:
>  >
>  > from AccessControl import ModuleSecurityInfo
>  > ModuleSecurityInfo('Products').declarePublic('Formulator')
>  > ModuleSecurityInfo('Products.Formulator').declarePublic('Form')
>  > 
> ModuleSecurityInfo('Products.Formulator.Form').declarePublic('FormValidationError') 
> 
>  >
>  > Cheers,
>  >
>  > Evan @ Zope
> 
> 
> I added the above code in the corresponding  __init__.py on my machine.
> 
> Which works almost perfectly...:
> 
> Further, I needed to be able to import :
> 
> from Products.gvibDA.gvib.gvibExceptions import IntegrityError
> 
> 
> So I added the following code in gvibDA's __init__.py
> 
> from Products.PythonScripts.Utility import allow_module, allow_class
> from AccessControl import ModuleSecurityInfo, ClassSecurityInfo
> from Globals import InitializeClass
> 
> ModuleSecurityInfo('Products').declarePublic('gvibDA')
> ModuleSecurityInfo('Products.gvibDA').declarePublic('gvib')
> ModuleSecurityInfo('Products.gvibDA.gvib').declarePublic('gvibExceptions')
> ModuleSecurityInfo('Products.gvibDA.gvib.gvibExceptions').declarePublic('IntegrityError') 
> 
> 
> from gvib.gvibExceptions import IntegrityError
> 
> allow_class(IntegrityError)
> 
> 
> I get an 'Unauthorized: Formulator' error when accessing a script 
> beginning with
> 
> from Products.Formulator.Form import FormValidationError
> 
> from Products.gvibDA.gvib.gvibExceptions import IntegrityError
> 
> 
> 
> I suppose it has something to do with the creation of two instances of 
> ModuleSecurityInfo('Products') but have no idea how to correct the problem.
> 
> Any help would be appreciated.
> 
> 
> -- 
> 
> 
> Godefroid Chapelle
> 
> BubbleNet sprl
> rue Victor Horta, 18 / 202
> 1348 Louvain-la-Neuve
> Belgium
> 
> Tel + 32 (10) 459901
> Mob + 32 (477) 363942
> 
> TVA 467 093 008
> RC Niv 49849
> 
> 
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope-dev )