Please put this in the collector or it may get lost. Thanks, Stefan On 10. Mär 2005, at 11:07, Malcolm Cleaton wrote:
On Wed, 09 Mar 2005 19:23:53 +0100, Dieter Maurer wrote:
Malcolm Cleaton wrote at 2005-3-9 10:59 +0000:
The issue can be worked around more easily than this. It is only the magic "Authenticated" role which appears to suffer from this problem.
It should not be necessary:
A user should not be able to access any *protected* (!) object outside the subhierarchy governed by the user folder that authenticated the user.
But maybe, we have a bug (and "aq_inContextOf" does not work as expected).
Yes, this shouldn't be necessary, and it looks like it's a bug.
Looks to me like the bug is in User.py's allowed method. Quite simply, when it checks for the Authenticated role, it doesn't call self._check_context, so never attempts to detect and foil acquisition tricks. Unless I'm missing something, it should be a quick and easy fix.
Thanks, Malcolm.
-- Software Engineering is Programming when you can't. --E. W. Dykstra