I did last week. On Thu, 10 Mar 2005 16:18:42 +0100, Stefan H. Holek <stefan@epy.co.at> wrote:
Please put this in the collector or it may get lost.
Thanks, Stefan
On 10. Mär 2005, at 11:07, Malcolm Cleaton wrote:
On Wed, 09 Mar 2005 19:23:53 +0100, Dieter Maurer wrote:
Malcolm Cleaton wrote at 2005-3-9 10:59 +0000:
The issue can be worked around more easily than this. It is only the magic "Authenticated" role which appears to suffer from this problem.
It should not be necessary:
A user should not be able to access any *protected* (!) object outside the subhierarchy governed by the user folder that authenticated the user.
But maybe, we have a bug (and "aq_inContextOf" does not work as expected).
Yes, this shouldn't be necessary, and it looks like it's a bug.
Looks to me like the bug is in User.py's allowed method. Quite simply, when it checks for the Authenticated role, it doesn't call self._check_context, so never attempts to detect and foil acquisition tricks. Unless I'm missing something, it should be a quick and easy fix.
Thanks, Malcolm.
-- Software Engineering is Programming when you can't. --E. W. Dykstra
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
-- Greg Fischer 1st Byte Solutions http://www.1stbyte.com