> The basic security mechanism uses the attribute "m__roles__" in order > to protect "m". If this attribute it "None", then "m" is public. > Otherwise, it is expected to be a sequence of roles that are allowed > to use "m". > > But, "ExtensionsClass" brings with it computed attributes. This allows > "m__roles__" to be not a sequence but a method returning a sequence. > When you protect "m" with a permission "p", then > "m__roles__" is set to "PermissionRole(p)". This instance dynamically > evaluates into a sequence of roles by crawling up the "aq_container" > (which is correctly "aq_parent" after "aq_inner") chain and translating > "p" into roles by interpreting the "permission-to-role" mapping > it finds on its way to the application object. > > Therefore, "declarePublic" works for non-wrapped instances while > "declareProtected" requires the wrapping. > > > Dieter
Very well put, Dieter -- both as an explanation of the problem at hand, as well as a general description of one of the more esoteric regions of Zope. I think it belongs in a document somewhere. Thanks. I knew I read these email lists for a reason. Ziniti _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
