[Zope] Zope product security question

Michael R. Schwab Michael.Schwab-mail.zope.org@icantbelieveididthat.com
Thu, 13 Mar 2003 10:24:27 -0600


Chris Withers wrote:
> Michael R. Schwab wrote:
> 
>> The issue that I'm facing seems to be Zope's security model.  The 
>> ZDG's security guide has even specified that object properties that 
>> are basic Python types cannot have their permissions set via the usual 
>> security.declarePublic() call (this includes 'id', 'meta_type', 'title'). 
> 
> This is true.
> 
> Yoru options are:
> 
> 1. setDefaultAccess('deny') and then provide setter and accessor methdos 
> for the attributes in question.
> 
> 2. I believe setDefaultAccess can be passed a list or function that 
> determines whether an attribute is accessible. You'd have to do some 
> research on this.

Ok, to implement via option #2:

Set the following security declarations:

__roles__ = ()
security = ClassSecurityInfo()
security.setDefaultAccess( {'id':1,
                             'meta_type':1,
                             'title':1} )

This allows public access to the 'id', 'meta_type', and 'title', but 
disallows access to all other properties such as 'ctime'. 
Alternatively, you can also specify an inaccessible property with 
'ctime':0 in the security.setDefaultAccess() call.

Its a bit of a hoop jumping lesson, but it works.  Thanks Chris!

>> I don't want to specify security.setDefaultAccess( 'allow' ) as this 
>> would allow access to mutable types within my product from scripts and 
>> defeats the purpose of setting a strict default security policy.
> 
> 
> Be careful. OFS.SimpleItem.SimpleItem does this anyway, so you'll have 
> to ensure you specifically set the policy in your product.
> 
> cheers,
> 
> Chris