[Zope-dev] security problem in an monkey-patch

19 Sep 2007

      Hi,

I have monkey-patched the QueueCatalog to adopt it to our needs, which 
works fine. I now wanted to introduce a new feature:

The QueueCatalog should be bypassed during mass-import of data.
So I introduced a new variable "_bypass", and new getBypassQueue() and 
setBypassQueue methods in the monkey-patch:

security.declareProtected(view_management_screens, 'getBypassQueue')
def getBypassQueue(self):
     "get _by_pass"
     if not hasattr(self,"_bypass"):
         self._bypass = False
     return self._bypass

security.declareProtected(view_management_screens, 'setBypassQueue')
def setBypassQueue(self, bypass=False):
     "set _bypass"
     self._bypass = bypass

from Products.QueueCatalog.QueueCatalog import QueueCatalog
QueueCatalog.getBypassQueue = getBypassQueue
QueueCatalog.setBypassQueue = setBypassQueue

I can invoke these methods from the url like:

../portal_catalog/setBypassQueue?bypass=1

and

../portal_catalog/getBypassQueue
displays a 1

But when I do a:

<input type="checkbox" name="enable_bypass"
	               tal:attributes="checked
		       here/portal_catalog/getBypassQueue" />

I get:
Unauthorized: The container has no security assertions.  Access to 
'getBypassQueue' of (QueueCatalog at /uniben/portal_catalog) denied.

What I am missing here.

-- 
Gruß Joachim

[Zope-dev] security problem in an monkey-patch

Joachim Schmitz