[Zope] Security framework troubles
Dieter Maurer
dieter at handshake.de
Sat May 7 13:21:46 EDT 2005
Anders Bruun Olsen wrote at 2005-5-6 18:19 +0200:
> ...
> security = ClassSecurityInfo()
> security.setDefaultAccess("deny")
> security.declareProtected("View Bookbase", "index_html")
> ...
>When the template tries to access container/title an access denied
>expection is raised. With VerboseSecurity I get this explanaition:
>
>Unauthorized: The container has no security assertions. Access to
>'title' of (Bookbase at /bookbase) denied.
>
>What exactly am I missing here?
Up to Zope 2.8, you cannot protect access to objects
of simple type (such the "title" attribute of type "string")
in an easy way.
Access to such attributes are dually protected:
By the "Object Permission" (set via "security.declareObjectProtected")
*and* the "setDefaultAccess".
"setDefaultAccess" can in fact take dictionaries and callables
as arguments. Read the Zope Developper Guide for the
types available for "__allow_access_to_unprotected_subobjects__"
and how they are interpreted.
"setDefaultAccess" just causes its argument to be assigned
to "__allow_acc...".
--
Dieter
More information about the Zope
mailing list