[Zope] Zope product security question
Michael R. Schwab
Michael.Schwab-mail.zope.org@icantbelieveididthat.com
Thu, 13 Mar 2003 09:32:14 -0600
Chris Withers wrote:
> Michael R. Schwab wrote:
>
>> The issue that I'm facing seems to be Zope's security model. The
>> ZDG's security guide has even specified that object properties that
>> are basic Python types cannot have their permissions set via the usual
>> security.declarePublic() call (this includes 'id', 'meta_type', 'title').
>
> This is true.
>
> Yoru options are:
>
> 1. setDefaultAccess('deny') and then provide setter and accessor methdos
> for the attributes in question.
>
> 2. I believe setDefaultAccess can be passed a list or function that
> determines whether an attribute is accessible. You'd have to do some
> research on this.
Thanks Chris. I'll look into this and get the results back to the list.
I hate dangling problems in mailing lists...
>> I don't want to specify security.setDefaultAccess( 'allow' ) as this
>> would allow access to mutable types within my product from scripts and
>> defeats the purpose of setting a strict default security policy.
>
>
> Be careful. OFS.SimpleItem.SimpleItem does this anyway, so you'll have
> to ensure you specifically set the policy in your product.
Thanks for the warning! ;-)
Michael