Storing method instance of user written class in list confuses Zope access control system.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tony Middleton wrote:
> Public bug reported:
>
> After moving from Zope 2.10 to 2.12 some existing Python code which
> accesses self written packages failed. I have created a small test
> module to show the problem.
>
> Here is Products/testp/testm.py
>
> class testc:
> def __init__(self,testval):
> self.testval = testval
> def testv(self):
> return self.testval

The fact that access to 'testv' worked in any Zope2 version was the bug:
 your class doesn't abide by the Zope2 security policy, which requires
that methods of classes be explicitly protected with a permission, or
else that the class has an '__allow_access_to_unprotected_subobjects__'
which enables access. Your grants allow access to the module and the
class, but not to methods or attributes of the class. See:

 http://docs.zope.org/zope2/zdgbook/Security.html

Please try adding the "magic" attribute at class scope, e.g.::

  class testc:
      __allow_access_to_unprotected_subobjects__ = 1
      ...

or else set up explicit security on your class, and initialize the class::

  from AccessControl.SecurityInfo import ClassSecurityInfo
  from App.class_init import InitializeClass

  class testc:
      security = ClassSecurityInfo()
      ...
      security.declarePublic('testv')
      def testv(self):
          ...

  InitializeClass(testc)

If that fixes the issue, then we can re-categorize this as a misfeature
of Zope 2.10.

  status incomplete

Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 <email address hidden>
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkvu334ACgkQ+gerLs4ltQ6BRQCgq6320sot9WP8z2NDi/5im7py
OekAoIIZE4npLZ8OMQ4MILg8084/cPI6
=bVy6
-----END PGP SIGNATURE-----

I'm afraid neither of the suggestions above made any difference and I'm also slightly confused about the reply.

Firstly, I understand the above to say that I have not correctly given access to the method and the fact that it worked in 2.10 was a fault that has now been fixed. However, that would imply that none of my three cases would work whereas the only failure on 2.12 is when I store the instance in a list.

Also, I had read the page referred to and although the description of allow_class is minimal my understanding was that it is a shorthand that gives full access as it says "the utility function “allow_class” and “allow_module” have been created to help you declare the entire contents of a class or module as public".

Interestingly, the third sample works if I use a tuple instead of a list but not a dictionary.

The zope2 project on Launchpad has been archived at the request of the Zope developers (see https://answers.launchpad.net/launchpad/+question/683589 and https://answers.launchpad.net/launchpad/+question/685285). If this bug is still relevant, please refile it at https://github.com/zopefoundation/zope2.