[Zope] DiskBased products and security
Hi I'm following the example of The Zope Bible on how to create disk based products. after adding the imports, 'InitializeClass(class)' statement and the 'security = ClassSecurityInfo()' statement he recommends two other statements: 1. __roles__ = () - I didn't understand exactly why but with this statement I can't access the product either from the ZMI or directly from the web. 2. security.setDefaultAccess(deny) - I think I understand why we changed that, but it's causing a lot of problems. If I add 'delareProtected' for all my methods, I can access certain pages , but with some pages (maybe ones that's calling methods form base classes or acquisition like 'title_or_id') I still get errors (Unauthorized: You are not allowed to access 'title_or_id' in this context). trying to solve this I started adding 'declareProtected' for every method I got error for. I gave up after 3 methods, but it seem to help. so, I was wondering if something was changed in the security model since 2.5 (the version that the book is about) until 2.7, and is there a place where it's documented (the zope developer guide is versioned 2.4)? also, If I'll make sure that every method I have in my module is also declared as protected, or public, is there a problem with living the default access as any? thanx -- Haim ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: DiskBased products and security
On Mon, 13 Jun 2005 19:13:14 +0200, Dieter Maurer wrote:
Haim Ashkenazi wrote at 2005-6-13 15:43 +0300:
...
1. __roles__ = () - I didn't understand exactly why but with this
statement I can't access the product either from the ZMI or directly from
the web.
This is a (deprecated) alternative for security.declareObjectPrivate().
2. security.setDefaultAccess(deny) - I think I understand why we changed
that, but it's causing a lot of problems. If I add 'delareProtected' for
all my methods, I can access certain pages , but with some pages (maybe
ones that's calling methods form base classes or acquisition like
'title_or_id') I still get errors (Unauthorized: You are not allowed to
access 'title_or_id' in this context). trying to solve this I started
adding 'declareProtected' for every method I got error for. I gave up
after 3 methods, but it seem to help.
Yes, many methods of OFS.SimpleItem.SimpleItem and its base
classes rely on its setDefaultAccess('allow').
If you change this to deny, you have to provide the
explicit security declarations.
so, I was wondering if something was changed in the security model since
2.5 (the version that the book is about) until 2.7, and is there a place
where it's documented (the zope developer guide is versioned 2.4)?
setDefaultAccess('deny') had a bug in some earlier Zope versions.
With the exception of this fix, nothing changed here for a long
time. You can still use the Zope Developper Guide...
also, If I'll make sure that every method I have in my module is also
declared as protected, or public, is there a problem with living the
default access as any?
As what?
sorry, I was unclear there :)
what I meant is if I won't leave any method undeclaired (security wise) in
my class, will it be a security risc to leave the default access
(setDefaultAccess('any'))? can I protect uncallable objects (like
variables) the same way?
The default access also controls access to attributes of simple type
(strings, tuples, dicts, ...) which cannot have their own security
declarations.
If you do not access such attributes directly and you provide security
declarations for all methods you use, then you can keep defaultAccess
== 'deny'.
thanx a lot for a very informative answer.
Bye
--
Haim
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: DiskBased products and security
On Mon, 13 Jun 2005 21:07:56 +0300, Haim Ashkenazi wrote:
On Mon, 13 Jun 2005 19:13:14 +0200, Dieter Maurer wrote:
Haim Ashkenazi wrote at 2005-6-13 15:43 +0300:
...
1. __roles__ = () - I didn't understand exactly why but with this
statement I can't access the product either from the ZMI or directly from
the web.
This is a (deprecated) alternative for security.declareObjectPrivate().
2. security.setDefaultAccess(deny) - I think I understand why we changed
that, but it's causing a lot of problems. If I add 'delareProtected' for
all my methods, I can access certain pages , but with some pages (maybe
ones that's calling methods form base classes or acquisition like
'title_or_id') I still get errors (Unauthorized: You are not allowed to
access 'title_or_id' in this context). trying to solve this I started
adding 'declareProtected' for every method I got error for. I gave up
after 3 methods, but it seem to help.
Yes, many methods of OFS.SimpleItem.SimpleItem and its base
classes rely on its setDefaultAccess('allow').
If you change this to deny, you have to provide the
explicit security declarations.
so, I was wondering if something was changed in the security model since
2.5 (the version that the book is about) until 2.7, and is there a place
where it's documented (the zope developer guide is versioned 2.4)?
setDefaultAccess('deny') had a bug in some earlier Zope versions.
With the exception of this fix, nothing changed here for a long
time. You can still use the Zope Developper Guide...
also, If I'll make sure that every method I have in my module is also
declared as protected, or public, is there a problem with living the
default access as any?
As what?
sorry, I was unclear there :)
what I meant is if I won't leave any method undeclaired (security wise) in
my class, will it be a security risc to leave the default access
(setDefaultAccess('any'))? can I protect uncallable objects (like
variables) the same way?
that was just me being stupid :)
If I want to protect a variable, I can just give it a name starting with
_somename...
Bye
The default access also controls access to attributes of simple type
(strings, tuples, dicts, ...) which cannot have their own security
declarations.
If you do not access such attributes directly and you provide security
declarations for all methods you use, then you can keep defaultAccess
== 'deny'.
thanx a lot for a very informative answer.
Bye
--
Haim
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: backing up a running zodb fileStorage
On Fri, 10 Jun 2005 09:30:35 +0200, gabor wrote: hi, i am trying to backup a zodb filestorage of a running zope. i'm on linux. i've read that you simply make a copy of the Data.fs file.. but what about the modifications/transactions that are happening when i make the copy. will not the database be in a corrupt state then? I backup my Data.fs with repozo.py. you can find some info about it in the plone book: http://docs.neuroinf.de/PloneBook/ch14.rst Bye -- Haim ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: DiskBased Product question
thanx for the replies. I'll look into these options today. Bye On Tue, 07 Jun 2005 19:35:23 +0300, Haim Ashkenazi wrote: Hi I'm looking for documentation or simple examples on how to create a disk based product that when I install it, it also adds some third party products. for example, If I select my product from the Add list, it'll create a folder, insert my code into it, but also insert mailhost, database connector, exuserfolder etc... is it even possible? one if the reasons I want to create it this way, and not just instruct the user to add these products and only then add mine, is because I want to have a few levels of folders with acl_users inside them instead of defining all the users in one folder and start playing with roles and permissions... thanx -- Haim ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] userFolder that holds user's email
Hi I'm looking for a zope (not plone) userFolder that can hold the user's email and perhaps full name. It should be the same authentication method, but with additional fields. Do I have to write one myself or are there already products that have this feature? thanx -- Haim ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: userFolder that holds user's email
On Tue, 07 Jun 2005 12:37:36 +0100, Joe Bezier wrote: Have a look at ExUserFolder (http://sourceforge.net/projects/exuserfolder/) we use it and I think it's great... yes, it sure looks like a great product. thanx... Bye -- Haim ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] DiskBased Product question
Hi I'm looking for documentation or simple examples on how to create a disk based product that when I install it, it also adds some third party products. for example, If I select my product from the Add list, it'll create a folder, insert my code into it, but also insert mailhost, database connector, exuserfolder etc... is it even possible? one if the reasons I want to create it this way, and not just instruct the user to add these products and only then add mine, is because I want to have a few levels of folders with acl_users inside them instead of defining all the users in one folder and start playing with roles and permissions... thanx -- Haim ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
