15 Mar
2006
15 Mar
'06
8:51 p.m.
yuppie wrote at 2006-3-15 11:23 +0100:
... Zope 2's checkValidId makes sure this doesn't happen with Zope 2 folder methods, Zope 3's NameChooser makes sure this doesn't happen with Zope 3 folder views. Even the bad_id-patch described above doesn't allow to override folder methods.
Maybe, the "checkValidId" should refuse to add an object with an id that hides a view declared for this folder and not reject any id that might (potentially) hide a view because it starts with "@" or "+"... This would prevent the security concerns you seem to have and allows for most ids to be accepted... -- Dieter