On 2/11/06, Kees de Brabander <cj.de.brabander@hccnet.nl> wrote:
Unaware of any security risks I used this "feature" from zope 1.10.x on and regularly upgrading my applications I had no problems until zope 2.7.8
Admittedly, I didn't use 1.10, I only discovered Zope two months later, with 2.0.1. And I don't remember those details that far back. But at least in 2.4.0, this code was called when you did user.allowed(): def _check_context(self, object): # Check that 'object' exists in the acquisition context of # the parent of the acl_users object containing this user, # to prevent "stealing" access through acquisition tricks. # Return true if in context, false if not or if context # cannot be determined (object is not wrapped). parent = getattr(self, 'aq_parent', None) context = getattr(parent, 'aq_parent', None) if context is not None: if object is None: return 1 if not hasattr(object, 'aq_inContextOf'): if hasattr(object, 'im_self'): # This is a method. Grab its self. object=object.im_self if not hasattr(object, 'aq_inContextOf'): # Object is not wrapped, so return false. return 0 if object.aq_inContextOf(context, 1): return 1 # This is lame, but required to keep existing behavior. return 1 And hence, you can't have done this after Zope 2.4.0. So I still think you are talking about something else. -- Lennart Regebro, Nuxeo http://www.nuxeo.com/ CPS Content Management http://www.cps-project.org/