Zope 2

ClassSecurityInfo uses class.__dict__ setitem

Bug #142712 reported by Bug Importer
0
Affects Status Importance Assigned to Milestone
Zope 2
Fix Released
Medium
Unassigned

Bug Description

The ClassSecurityInfo class' apply method is using dictionary assignment to set class attribute values. This breaks if the class is a new-style class under Python 2.2+, where class-dictionaries are proxy objects that disallow setting values. The problem likely can be fixed by substituting all instances of:

   dict[key] = value

with:

   setattr( classobj, key, value )

you can check the error with this code:

from AccessControl import ClassSecurityInfo
import Globals

class X( object ):
 """Some content object"""
 security = ClassSecurityInfo()
 security.setDefaultAccess( 'allow' )
 def y( self ):
  """Do something or other"""

Globals.InitializeClass(X)

which produces this traceback:

  File "v:\zopehome/Products\Cinemon\Cinemon.py", line 1, in ?
    import securityproblem
  File "v:\zopehome/Products\Cinemon\securityproblem.py", line 11, in ?
    Globals.InitializeClass(X)
  File "C:\bin\Zope27\lib\python\App\class_init.py", line 61, in default__class_init__
    security_info.apply(self)
  File "C:\bin\Zope27\lib\python\AccessControl\SecurityInfo.py", line 185, in apply
    dict['__ac_permissions__'] = tuple(__ac_permissions__)
TypeError: object does not support item assignment

Tags: bug zope
Revision history for this message
Hanno Schlichting (hannosch) wrote :

The code in current Zope does indeed use a "setattr(classobj, '%s__roles__' % name, access)" instead as proposed by this patch.

Changed in zope2:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.