[Zope-Checkins] CVS: Packages/AccessControl - ZopeGuards.py:1.16.2.5
Tres Seaver
tseaver at zope.com
Tue Apr 5 17:18:15 EDT 2005
Update of /cvs-repository/Packages/AccessControl
In directory cvs.zope.org:/tmp/cvs-serv19057/lib/python/AccessControl
Modified Files:
Tag: Zope-2_7-branch
ZopeGuards.py
Log Message:
Hotfix_20050405: prevent untrusted code from shadowing roles on protected methods of base classes.
=== Packages/AccessControl/ZopeGuards.py 1.16.2.4 => 1.16.2.5 ===
--- Packages/AccessControl/ZopeGuards.py:1.16.2.4 Fri Jan 7 17:03:59 2005
+++ Packages/AccessControl/ZopeGuards.py Tue Apr 5 17:17:44 2005
@@ -338,6 +338,9 @@
# This metaclass supplies the security declarations that allow all
# attributes of a class and its instances to be read and written.
def _metaclass(name, bases, dict):
+ for k, v in dict.items():
+ if k.endswith('__roles__') and k[:len('__roles__')] not in dict:
+ raise Unauthorized, "Can't override security: %s" % k
ob = type(name, bases, dict)
ob.__allow_access_to_unprotected_subobjects__ = 1
ob._guarded_writes = 1
More information about the Zope-Checkins
mailing list