Yup, the problem's still there...
Lance wrote:
I think you have to not only inherit RoleManager, but OFS.SimpleItem.Item as well. At least, that's what the Security HOWTO seems to imply.
No, it shouldn't :( SimpleItem.Item has __allow_access_to_unprotected_subobjects__=1 in it, so it just masks the problem rather than solving it properly... cheers, Chris
Ah.... That would explain it! How about this, instead of an attribute, I created a method: def icon(self): return 'misc_/Squishdot/squishfile_img' This seemed to work. Attached is the patch. Comments? -Lance On Tue, 22 Aug 2000, Chris Withers wrote:
Lance wrote:
I think you have to not only inherit RoleManager, but OFS.SimpleItem.Item as well. At least, that's what the Security HOWTO seems to imply.
No, it shouldn't :(
SimpleItem.Item has __allow_access_to_unprotected_subobjects__=1 in it, so it just masks the problem rather than solving it properly...
cheers,
Chris
...but doesn't solve what I suspect is a problem with string attributes in the new security stuff (although I'm going to see if I can knock up a simple test case to see what's really going on ;-)
How about this, instead of an attribute, I created a method: def icon(self): return 'misc_/Squishdot/squishfile_img'
I like it :-) ...but this won't work for the posting attributes like subject, body, etc :(
This seemed to work. Attached is the patch. Comments?
I think you did the diff in the wrong order ;-) Anyway, I think I'm just going to release 0.7.0 with the nasty __allow_access_to_unprotected_subojects__=1 in it and do a 0.7.1 release when the mess is sorted out :S cheers for the testing/coding/patches :-) Chris
On Thu, 24 Aug 2000, Chris Withers wrote:
...but doesn't solve what I suspect is a problem with string attributes in the new security stuff (although I'm going to see if I can knock up a simple test case to see what's really going on ;-)
...
...but this won't work for the posting attributes like subject, body, etc :(
Well, I'm at a loss. I tried a bunch things myself, and I've found out that instances of the Article class are not inheriting __ac_permissions__ from the Posting class. In fact, even if you override __ac_permissions__ in the Article class, the validate() method is reporting there's nothing there. What I don't understand is, SquishSite works, and SquishFile works, what's so different about the Posting/Article classes? I thought all one had to do was inherit RoleManager, and set everything properly in __ac_permissions__ ? Or am I totally not getting the 2.2 Security model? Do you know what's going on here?
Anyway, I think I'm just going to release 0.7.0 with the nasty __allow_access_to_unprotected_subojects__=1 in it and do a 0.7.1 release when the mess is sorted out :S
You mean begin Squishdot: The Next Generation (SquishdotPTK)? :-) -- --Lance
Lance wrote:
Well, I'm at a loss. I tried a bunch things myself, and I've found out that instances of the Article class are not inheriting __ac_permissions__ from the Posting class.
How did you find this out? It's be good to knwo 'cos it might be a weird acquisiton wrapping thing rather than a security problem, as such...
In fact, even if you override __ac_permissions__ in the Article class, the validate() method is reporting there's nothing there. What I don't understand is, SquishSite works, and SquishFile works, what's so different about the Posting/Article classes?
Indeed, I'd love to hear some answers :-) That said, I did get exactly the same problems with the SquishFiel class, so I'm nto convinced it's onyl articles and replies that have problems...
I thought all one had to do was inherit RoleManager,
Can someone please tell me what inheriting from RoleManager is actually suppsoed to do or where I can fidn that out? cheers, Chris
participants (3)
-
Chris Withers -
Lance -
odysseus@acedsl.com