[Zope] Product security and OFS.CopySupport

Michael R. Schwab Michael.Schwab-mail.zope.org at icantbelieveididthat.com
Tue Oct 26 21:34:51 EDT 2004


<quote who="Peter Bengtsson">
> Have you registered the class in your __init__.py file?
> That stuff about restrictedTraverse() is over my head by usually
> copy/paste problems can arise due to unregistered classes.

Yes.  My __init__.py is registering my class:

import CustomFolder
from AccessControl import Permissions

def initialize(context):

  try:
    context.registerClass(
      CustomFolder.CustomFolder,
      permission=Permissions.add_folders,
      constructors=(CustomFolder.manage_addCustomFolderForm,
              CustomFolder.manage_addCustomFolder),
      icon = 'www/Folder_icon.gif' )
  except:
    import sys, traceback, string
    type, val, tb = sys.exc_info()
    sys.stderr.write( string.join(
          traceback.format_exception( type, val, tb ),
          '' ) )
    del type, val, tb

I've subsequently tried different security declaration combinations:

- setting __roles__ to either None or ()

- calling security.setDefaultAccess( 'deny' ) and
  security.setDefaultAccess( {'id':1, 'meta_type':1, 'title':1,
  'icon':1, 'title_or_id':1 } )

- explictly declaring security.declareProtected with the
  Permissions.view permission on id, meta_type, title, icon,
  title_or_id

- explictly declaring security.declareProtected with the
  Permissions.copy_or_move permission on manage_copyObjects,
  manage_cutObjects, manage_pasteObjects, manage_renameObject, and
  manage_renameObjects

The end result is some combination of the following errors:

- unable to browse the CustomFolder's index_html

- unable to access manage_main in the ZMI due to an AttributeError
  with a value of 'NoneType' object has no attribute 'setHeader'

- unable to paste and rename an object contained in a CustomFolder
  object

There _has_ to be a way to declare a folderish object as protected
default and declare protected access to methods and properties by
role names.

Before you ask, yes I am calling InitializeClass(CustomFolder) to
apply the security permissions to my class.

> On Mon, 25 Oct 2004 18:31:55 -0600 (CST), Michael R. Schwab
> <michael.schwab-mail.zope.org at icantbelieveididthat.com> wrote:
>> Hi,
>>
>> I've encountered problems when adding security declarations to a Zope
>> folderish object product on Zope 2.7.2/Python 2.3.4/RH Linux 9.0.
>>
>> My folderish object 'CustomFolder' (see
>> http://files.englesh.org/CustomFolder.tgz for source) has permissions on
>> its methods.  For example, I'm declaring:
>>
>>   security.declarePublic('index_html')
>>   index_html = PageTemplateFile(
>>                  os.path.join('zpt', 'default_index_html'),
>>                  globals())
>>
>> I then initialize the permissions for my object calling:
>>
>>   InitializeClass(CustomFolder)
>>
>> When I instantiate a 'CustomFolder', I can add new sub objects.  I am,
>> however, unable to paste or rename objects within the 'CustomFolder'
>> instance.  I've been able to trace the error to the call to
>> _verifyObjectPaste (line 352) in OFS.CopySupport.  It appears that
>> _verifyObjectPaste fails on the call to
>> self.restrictedTraverse(method_name).  The comments following the call
>> seem to indicate that an Unauthorized exception is thrown if the factory
>> method by name cannot be obtained.
>>
>> Is there something that I am missing in my security declarations for
>> 'CustomFolder' or is this a bug in OFS.CopySupport or OFS.Traversable?
>>
>> I've goggled on this but the results I have found have not fixed the
>> problem I am seeing.
>>
>> Thanks,
>> Michael
-- 
Michael R. Schwab

All those who believe in psychokinesis, raise my hand.


More information about the Zope mailing list