Zope developer book - chapter security - missing info about implications of docstrings?

[jugmac00]

I just read through the chapter 8 of the Zope developer book "Security" (https://zope.readthedocs.io/en/latest/zdgbook/Security.html), and I could not find any mention of what adding or leaving out docstrings do to the accessibility of methods through the web.

@d-maurer gave me a hint about what happens when you add a docstring to a method:
zopefoundation/Products.ZCatalog#89 (comment)

Shouldn't this be mentioned in the documentation?

Especially in this list?
https://zope.readthedocs.io/en/latest/zdgbook/Security.html#details-of-the-default-zope-security-policy

P.S.: Thanks for updating the chapter!!!

[jugmac00]

Also, after reading the security chapter, I do not understand why in the following example the docstring matters, as there is an explicit security declaration:
zopefoundation/Products.ZCatalog#89 (review)

[perrinjerome]

In my understanding, the docstrings matters only for publishing (when an object or method is accessed by URL in an HTTP request) and not for "restricted python security" (when accessing objects or methods in restricted python scripts).

The relevant documentation seems to be
https://zope.readthedocs.io/en/latest/zdgbook/ObjectPublishing.html#publishable-object-requirements and https://zope.readthedocs.io/en/latest/zdgbook/Security.html#how-the-security-policy-relates-to-zope-s-publishing-machinery explains the relation between the two.

[jugmac00]

Thanks for your input. I guess I still need to read more about this topic and maybe play around in an instance to fully grasp that concept.

• method with security.declareProtected -> View => only logged in users/with permission View
• method without security declaration without docstring => nobody
• method without security declaration with docstring => everybody
• method with security.declarationPublic => everybody
• method with leading underscore....

Basically I'd have to create a matrix with

• 3x different security declarations + without declaration
• with or without docstring
• with or without leading underscore
  => 4 x 2 x 2 => 16 different possibilities?

[icemac]

A leading underscore makes a method always private. (This might be changed by using TrustedExacutables.) The doctoring should only be taken into account if there is no security declaration. I created #774 to discuss the meaning of docstrings.

[d-maurer]

Michael Howitz wrote at 2020-1-31 07:15 -0800:

... The doctoring should only be taken into account if there is no security declaration.

I do not think that this would be good: access via the Web usually requires more control/protection (e.g. protection against CSRF (= "Cross Site Request Forgery") attacks) than "internal" access. Thus, you want to have some way to allow "internal" access but prevent direct access via the web. I agree that using docstrings for this is likely not the best approach -- just the approach currently used.