[Zope] DiskBased products and security

[Dieter Maurer]

Haim Ashkenazi wrote at 2005-6-13 15:43 +0300:
> ...
>1. __roles__ = () - I didn't understand exactly why but with this
>statement I can't access the product either from the ZMI or directly from
>the web.

This is a (deprecated) alternative for "security.declareObjectPrivate()".

>2. security.setDefaultAccess("deny") - I think I understand why we changed
>that, but it's causing a lot of problems. If I add 'delareProtected' for
>all my methods, I can access certain pages , but with some pages (maybe
>ones that's calling methods form base classes or acquisition like
>'title_or_id') I still get errors ("Unauthorized: You are not allowed to
>access 'title_or_id' in this context"). trying to solve this I started
>adding 'declareProtected' for every method I got error for. I gave up
>after 3 methods, but it seem to help.

Yes, many methods of "OFS.SimpleItem.SimpleItem" and its base
classes rely on its "setDefaultAccess('allow')".

If you change this to "deny", you have to provide the
explicit security declarations.

>so, I was wondering if something was changed in the security model since
>2.5 (the version that the book is about) until 2.7, and is there a place
>where it's documented (the zope developer guide is versioned 2.4)?

"setDefaultAccess('deny')" had a bug in some earlier Zope versions.
With the exception of this fix, nothing changed here for a long
time. You can still use the Zope Developper Guide...

>also, If I'll make sure that every method I have in my module is also
>declared as protected, or public, is there a problem with living the
>default access as any?

As what?

The "default access" also controls access to attributes of
simple type (strings, tuples, dicts, ...) which cannot have
their own security declarations.

If you do not access such attributes directly and
you provide security declarations for all methods you use,
then you can keep "defaultAccess == 'deny'".

-- 
Dieter