Re: [Zope] Security framework troubles
Anders Bruun Olsen wrote at 2005-5-6 18:19 +0200: ... security = ClassSecurityInfo() security.setDefaultAccess(deny) security.declareProtected(View Bookbase, index_html) ... When the template tries to access container/title an access denied expection is raised. With VerboseSecurity I get this explanaition: Unauthorized: The container has no security assertions. Access to 'title' of (Bookbase at /bookbase) denied. What exactly am I missing here? Up to Zope 2.8, you cannot protect access to objects of simple type (such the title attribute of type string) in an easy way. Access to such attributes are dually protected: By the Object Permission (set via security.declareObjectProtected) *and* the setDefaultAccess. setDefaultAccess can in fact take dictionaries and callables as arguments. Read the Zope Developper Guide for the types available for __allow_access_to_unprotected_subobjects__ and how they are interpreted. setDefaultAccess just causes its argument to be assigned to __allow_acc -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Security framework troubles
Hi, I am attempting to make a zope product (a custom book-database for use by my employer) and of course want to secure it. I have added this code to my class: security = ClassSecurityInfo() security.setDefaultAccess(deny) security.declareProtected(View Bookbase, index_html) security.declareProtected(View Bookbase, standard_page) security.declareProtected(View management screens, manage_main) And also of course InitializeClass(Bookbase) When the template tries to access container/title an access denied expection is raised. With VerboseSecurity I get this explanaition: Unauthorized: The container has no security assertions. Access to 'title' of (Bookbase at /bookbase) denied. What exactly am I missing here? It works if I do setDefaultAccess(allow), but I don't want to allow access by default and then just deny for those I know I want to deny access to. I want it the other way around. -- Anders -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS/O d--@ s:+ a-- C++ UL+++$ P++ L+++ E- W+ N(+) o K? w O-- M- V PS+ PE@ Y+ PGP+ t 5 X R+ tv+ b++ DI+++ D+ G e- h !r y? --END GEEK CODE BLOCK-- PGPKey: http://random.sks.keyserver.penguin.de:11371/pks/lookup?op=getsearch=0xD4DEFED0 ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Security framework troubles
--On Freitag, 6. Mai 2005 18:19 Uhr +0200 Anders Bruun Olsen [EMAIL PROTECTED] wrote: It works if I do setDefaultAccess(allow), but I don't want to allow access by default and then just deny for those I know I want to deny access to. I want it the other way around. Why don't you write an accessor method getTitle() and security assertion to the method? -ah pgpSBWuP18DNL.pgp Description: PGP signature ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
