Re: security.declarePrivate allows access to all authenticated users
Forgot to mention: Using Zope 2.3.2.
Hi,
I got the following class:
from AccessControl import ClassSecurityInfo from Products.ZPatterns.Specialists import Specialist import Globals
class MyClass(Specialist):
security = ClassSecurityInfo()
security.declarePrivate('test') def test(self): return 'test'
Globals.InitializeClass(MyClass)
Foolish old trusting me thought that 'test' would not be accessible from restricted code. And it really isn't accessible to anonymous users, but is freely accessible to all authenticated users.
Why?
-- -- Itai Tavor -- "Je sautille, donc je suis." -- itai@optusnet.com.au -- - Kermit the Frog -- -- -- -- "If you haven't got your health, you haven't got anything" --
Itai Tavor wrote:
Foolish old trusting me thought that 'test' would not be accessible from restricted code. And it really isn't accessible to anonymous users, but is freely accessible to all authenticated users.
Sounds like a pretty nasty bug, stick it in the collector... cheers, Chris
Chris Withers wrote:
Itai Tavor wrote:
Foolish old trusting me thought that 'test' would not be accessible from restricted code. And it really isn't accessible to anonymous users, but is freely accessible to all authenticated users.
Sounds like a pretty nasty bug, stick it in the collector...
cheers,
Chris
I wouldn't want to do that just yet... it seems impossible that nobody else hit this, if it really is a bug. So unless anyone else manages to reproduce it, it's more likely to be some pathological combination of products, versions and classes that my typical bad luck caused me to encounter. I'll wait to see what other comments I get, and I'll try to isolate the problem in a limited test case. Itai -- -- Itai Tavor -- "Je sautille, donc je suis." -- itai@optusnet.com.au -- - Kermit the Frog -- -- -- -- "If you haven't got your health, you haven't got anything" --
participants (2)
-
Chris Withers -
Itai Tavor