Andreas Jung wrote:
--On Freitag, 22. Oktober 2004 8:38 Uhr -0400 Tres Seaver <tseaver@zope.com> wrote:
Andreas Jung wrote:
how severe is the problem that you have fixed? According to some rumors the fix seems to break applications. The question for Zope 2.7.3 final is: is the problem severe enough to have it fixed for 2.7.3 with the risk of causing trouble with broken applications or can we defer the fix to Zope 2.8?
-1.
I have yet to get a reproducible test case (one which breaks on 2.7-head but works on 2.7.2) from the examples folks have supplied. The bug which I was fixing is a security issue, reported against CMF, but also affecting Zope: http://zope.org/Collectors/CMF/259
Given that the change was required to implement a security fix, and without a reproducible test case for the reported breakage, I don't think we can credit the rumors. We *definitely* don't want to defer the security fix.
I am not against the patch...I just need to know what the state of this issue is and what its implications are for the final 2.7.3 release :-)
OK, here is my take, rephrased: the patch is there to support an important security fix (see the link above). Without a reproducible test case (I've tried and failed to make Stefan's reproducible within the AccessControl tests), we should just go forward and release 2.7.3. Applications which use 'setDefaultAccess("deny")' for their content objects may need to quit trying to acquire CMF tools implicitly (using 'getToolByName' instead, which is the preferred API anyway); that is the only case I know of which can be isolated. Richard Jones reported an issue with the patch, but couldn't give us a simple case. Users who *have* such weird applications can reverse the patch, find workarounds, or whatever, until they can help us isolate the bug. Tres. -- =============================================================== Tres Seaver tseaver@zope.com Zope Corporation "Zope Dealers" http://www.zope.com