[Zope-Coders] Re: [Zope-Checkins] CVS: Zope/lib/python/AccessControl
- ZopeGuards.py:1.13
R. David Murray
rdmurray@fcgnetworks.net
Tue, 17 Dec 2002 16:00:24 -0500 (EST)
On Tue, 17 Dec 2002, Chris Withers wrote:
> Martijn Pieters wrote:
> > The point is that untrusted users can cause imports.
>
> But they can do that anyway, just by dumping a package in the Products directory.
If they can dump a package in the Products directory they are by definition
a trusted user, not an untrusted one. An untrusted one is one that
comes in through the Zope web interface.
> > Only admins can cause
> > packages to be placed in Products; your change allows *any* package to be
> > imported.
>
> But only 'admins' can install packages...
Yes, but that doesn't mean they get imported. This applies also
to code installed in the system lib/python, which the admin is
certainly not going to think of in terms of being imported into
zope by untrusted users...
--RDM