Comment 1 for bug 580912

Revision history for this message
Tres Seaver (tseaver) wrote : Re: [zope2-tracker] [Bug 580912] [NEW] Storing method instance of user written class in list confuses Zope access control system.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tony Middleton wrote:
> Public bug reported:
>
> After moving from Zope 2.10 to 2.12 some existing Python code which
> accesses self written packages failed. I have created a small test
> module to show the problem.
>
> Here is Products/testp/testm.py
>
> class testc:
> def __init__(self,testval):
> self.testval = testval
> def testv(self):
> return self.testval

The fact that access to 'testv' worked in any Zope2 version was the bug:
 your class doesn't abide by the Zope2 security policy, which requires
that methods of classes be explicitly protected with a permission, or
else that the class has an '__allow_access_to_unprotected_subobjects__'
which enables access. Your grants allow access to the module and the
class, but not to methods or attributes of the class. See:

 http://docs.zope.org/zope2/zdgbook/Security.html

Please try adding the "magic" attribute at class scope, e.g.::

  class testc:
      __allow_access_to_unprotected_subobjects__ = 1
      ...

or else set up explicit security on your class, and initialize the class::

  from AccessControl.SecurityInfo import ClassSecurityInfo
  from App.class_init import InitializeClass

  class testc:
      security = ClassSecurityInfo()
      ...
      security.declarePublic('testv')
      def testv(self):
          ...

  InitializeClass(testc)

If that fixes the issue, then we can re-categorize this as a misfeature
of Zope 2.10.

  status incomplete

Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 <email address hidden>
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkvu334ACgkQ+gerLs4ltQ6BRQCgq6320sot9WP8z2NDi/5im7py
OekAoIIZE4npLZ8OMQ4MILg8084/cPI6
=bVy6
-----END PGP SIGNATURE-----