(コードを安全にする)

はじめに

How to define which permissions are needed to execute your view, code, etc.

New style vs. old style

This is for those who are familiar with Plone 2, but not yet with Plone 3.

Use Zope 3 techniques:

• Expose data through View and BrowserView instances
• Put security declarations in grok Views http://grok.zope.org/doc/current/reference/directives.html#security-directives
• Put Security declarations in ZCML file

Try to avoid old style (Zope 2) techniques in new code:

• ClassSecurityInfo
• ModuleSecurityInfo
• security.declareProtected() / security.declarePublic() declarations
• Script (Python) snippets

Declaring view security

<browser:page> takes in an attribute permission.

See browser:page reference.

Example:

<!-- permission comes from -->

<browser:page
        for="getpaid.core.interfaces.IStore"
        name="null_payment_button"
        class=".button.NullPaymentButton"
        permission="zope2.View"
        template="templates/button.pt"
        />

– _ModuleSecurityInfo: http://svn.zope.org/Zope/trunk/src/AccessControl/SecurityInfo.py?rev=96262&view=markup