Hi! I did plan to work on a small catalog improvement, but after looking at the code I'd like to do some cleanup first: 1.) remove the deprecated TextIndex The deprecation warning says: 'Using TextIndex is deprecated (will be removed in Zope ' '2.12). Use ZCTextIndex instead.' 2.) remove CHANGES.txt, README.txt and version.txt from Products/ZCatalog These files seem to be obsolete. 3.) remove security declarations from ZCTextIndex and DateRangeIndex All the other indexes don't have security declarations. AFAICS there is no way to access indexes from untrusted code without having the 'Manage ZCatalogIndex Entries' permission. 4.) add 'indexSize' to IPluggableIndex and implement it where missing ZCatalog uses that method and most indexes implement it already. If there are no objections, I'll make these changes on the 2.12 branch and the trunk. Cheers, Yuppie
On 6/29/09 12:48 PM, yuppie wrote:
Hi!
I did plan to work on a small catalog improvement, but after looking at the code I'd like to do some cleanup first:
1.) remove the deprecated TextIndex
The deprecation warning says: 'Using TextIndex is deprecated (will be removed in Zope' '2.12). Use ZCTextIndex instead.'
2.) remove CHANGES.txt, README.txt and version.txt from Products/ZCatalog
These files seem to be obsolete.
3.) remove security declarations from ZCTextIndex and DateRangeIndex
All the other indexes don't have security declarations. AFAICS there is no way to access indexes from untrusted code without having the 'Manage ZCatalogIndex Entries' permission.
4.) add 'indexSize' to IPluggableIndex and implement it where missing
ZCatalog uses that method and most indexes implement it already.
An API to both get and set 'extras' would be very useful for GenericSetup as well :) Wichert.
On 29.06.09 12:48, yuppie wrote:
Hi!
I did plan to work on a small catalog improvement, but after looking at the code I'd like to do some cleanup first:
1.) remove the deprecated TextIndex
The deprecation warning says: 'Using TextIndex is deprecated (will be removed in Zope ' '2.12). Use ZCTextIndex instead.'
+1
2.) remove CHANGES.txt, README.txt and version.txt from Products/ZCatalog
These files seem to be obsolete.
+1
3.) remove security declarations from ZCTextIndex and DateRangeIndex
All the other indexes don't have security declarations. AFAICS there is no way to access indexes from untrusted code without having the 'Manage ZCatalogIndex Entries' permission.
I think that all index implementation should have security assertions?!
4.) add 'indexSize' to IPluggableIndex and implement it where missing
ZCatalog uses that method and most indexes implement it already.
+1 Andreas
Hi Andreas! Andreas Jung wrote:
On 29.06.09 12:48, yuppie wrote:
3.) remove security declarations from ZCTextIndex and DateRangeIndex
All the other indexes don't have security declarations. AFAICS there is no way to access indexes from untrusted code without having the 'Manage ZCatalogIndex Entries' permission.
I think that all index implementation should have security assertions?!
Why? '_catalog.indexes' is protected by the underscore and using the 'Indexes' alias is protected by 'Manage ZCatalogIndex Entries'. Only additional security restrictions would have any effect. Or am I missing a security hole? Cheers, Yuppie
On 29.06.09 19:33, yuppie wrote:
Hi Andreas!
Andreas Jung wrote:
On 29.06.09 12:48, yuppie wrote:
3.) remove security declarations from ZCTextIndex and DateRangeIndex
All the other indexes don't have security declarations. AFAICS there is no way to access indexes from untrusted code without having the 'Manage ZCatalogIndex Entries' permission.
I think that all index implementation should have security assertions?!
Why?
'_catalog.indexes' is protected by the underscore and using the 'Indexes' alias is protected by 'Manage ZCatalogIndex Entries'. Only additional security restrictions would have any effect.
Or am I missing a security hole?
Not sure. I created a catalog /catalog and an index 'my_index'. Within a debug shell:
app.catalog.Indexes['my_index'] <FieldIndex at my_index>
app.unrestrictedTraverse('catalog/Indexes/my_index') <FieldIndex at /catalog//my_index>
app.restrictedTraverse('catalog/Indexes/my_index') Traceback (most recent call last): File "<stdin>", line 1, in ? File "/Users/ajung/sandboxes/Zope-2.11/2.11/lib/python/OFS/Traversable.py", line 301, in restrictedTraverse return self.unrestrictedTraverse(path, default, restricted=True) File "/Users/ajung/sandboxes/Zope-2.11/2.11/lib/python/OFS/Traversable.py", line 236, in unrestrictedTraverse next = guarded_getattr(obj, name) AccessControl.unauthorized.Unauthorized: You are not allowed to access 'Indexes' in this context
hmmmm... Andreas
participants (3)
-
Andreas Jung -
Wichert Akkerman -
yuppie