On 27 June 2010 00:24, Hanno Schlichting <hanno@hannosch.eu> wrote:
Hi there,
recently MJ opened a security related bug and disclosed it to the public at https://bugs.launchpad.net/zope2/+bug/578326.
In short Zope 2 never supported the permission attribute on ZCML browser:view declarations. It seems some people might have specified this attribute and assumed it would do something.
I have added a warning message to Zope 2 (trunk + 2.12 branch) which warns about those cases. This is similar to how we handle other such cases like the unsupported <require set_schema=".." /> and <require set_attributes="..." /> on class directives.
But it turns out that Zope 2 itself is using this in one place, that looks like it ought to have a security declaration. The Products.Five.adding.ContentAdding class registered as an add view ("+") has no working security declarations I can see, and only has such a non-functioning permission="zope2.ViewManagementScreens" set. I'm not familiar enough with the add view concept to understand what this is doing. It also looks like both CMF and Plone use similar registrations for their add views.
Ideally I'd love to add support for the permission attribute, as clearly people have been using it. But if there's nobody who can figure out how to do that, I'd at least like to clarify the add view case.
Fixed in r114488 (2.12 branch) and r114490 (trunk). I don't think I'm allowed to close the issue on Launchpad, but it should be fine now. Cheers, Martin