'Inherited' Security Problem
Hi All, After I upgraded to zope 2.6.0 I'm no longer able to use dtml-var to include a restricted dtml method in a non restricted dtml method. The previous versions of zope would give me the possibility to log in the see the complete page or to deny complete access. Nowadays the page gives a KeyError with the value of the restricted page. Does anyone has a solution? Greetings Ralph
Ralph vd Houdt wrote at 2003-6-25 09:08 +0200:
After I upgraded to zope 2.6.0 I'm no longer able to use dtml-var to include a restricted dtml method in a non restricted dtml method. The previous versions of zope would give me the possibility to log in the see the complete page or to deny complete access. Nowadays the page gives a KeyError with the value of the restricted page.
Does anyone has a solution?
I do not have a solution just a remark. The (in my view) bug was introduced a long time ago. Apparently, a security fanatist decided that unauthorized objects should not be seen at all (and converted some "Unauthorized" into "KeyError"). However, it might also have been introduced accidentally. You may file a bug report. However, as Zope's security code is quite weird, I have little hope that the behaviour will be changed in Zope 2. As a (nasty) workaround, you might catch the "KeyError" exception and raise an "Unauthorized" again. An alternative would be to leave DTML and use ZPT instead. Dieter
participants (2)
-
Dieter Maurer -
Ralph vd Houdt