On Wed, 09 Mar 2005 19:23:53 +0100, Dieter Maurer wrote:
Malcolm Cleaton wrote at 2005-3-9 10:59 +0000:
The issue can be worked around more easily than this. It is only the magic "Authenticated" role which appears to suffer from this problem.
It should not be necessary:
A user should not be able to access any *protected* (!) object outside the subhierarchy governed by the user folder that authenticated the user.
But maybe, we have a bug (and "aq_inContextOf" does not work as expected).
Yes, this shouldn't be necessary, and it looks like it's a bug. Looks to me like the bug is in User.py's allowed method. Quite simply, when it checks for the Authenticated role, it doesn't call self._check_context, so never attempts to detect and foil acquisition tricks. Unless I'm missing something, it should be a quick and easy fix. Thanks, Malcolm. -- [] j a m k i t web solutions for charities malcolm cleaton T: 020 7549 0520 F: 020 7490 1152 M: 07986 563852 W: www.jamkit.com