-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The 'security audit work for the 2.7 branch' commit on 8th Jan made the following change in PageTemplates/Expression.py: *************** *** 312,318 **** # Skip directly to item access o = object[name] # Check access to the item. ! if not validate(object, object, name, o): raise Unauthorized, name object = o continue - --- 307,313 ---- # Skip directly to item access o = object[name] # Check access to the item. ! if not validate(object, object, None, o): raise Unauthorized, name object = o continue *************** *** 367,373 **** raise else: # Check access to the item. ! if not validate(object, object, name, o): raise Unauthorized, name object = o - --- 362,368 ---- raise else: # Check access to the item. ! if not validate(object, object, None, o): raise Unauthorized, name object = o This has the side effect of not passing the name attribute to my security assertion methods registered via ClassSecurityInfo.setDefaultAccess: class Foo(blah, blah, blah): security = ClassSecurityInfo() def _checkAccess(self, name, value): if name.startswith('CG'): return 1 return 0 security.setDefaultAccess(_checkAccess) def __getitem__(self, key): ''' Access via dictionary interface, with security provided via _checkAccess ''' return 'example' Reversing the changes to Expression.py seems to break lots of things (including SiteErrorLog), so I'm sure this is much more involved. Can anyone shed light onto what is going on? - -- Stuart Bishop <stuart@stuartbishop.net> http://www.stuartbishop.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQFAA4AFAfqZj7rGN0oRArWMAJ96sb9wKkx9qqstiB+78cZ1LrtW8ACggNX8 +uCQkzQGvbgIzW8Sb4C9kAE= =7xyW -----END PGP SIGNATURE-----