[ZCM] [ZC] 1774/ 2 Comment "fix for checkPermission"
Collector: Zope Bugs, Features,
and Patches ...
zope-coders-admin at zope.org
Fri May 6 10:46:36 EDT 2005
Issue #1774 Update (Comment) "fix for checkPermission"
Status Pending, Zope/bug+solution medium
To followup, visit:
http://www.zope.org/Collectors/Zope/1774
==============================================================
= Comment - Entry #2 by tseaver on May 6, 2005 10:46 am
Thanks for the patch. A couple of "mechanical" things I've noted which will help with future sumisisons:
- Please don't use tab characters in Zope's Python source.
- If you can, creating a unified diff or a context diff makes
the patch more comprehensible.
And a substantive one:
- The 'ownerous' check should either be dropped, or it should
be enforced across the board (e.g., not short-circuited
by 'context.user_allowed'). The point of that machinery is
to prevent "Trojan horse" attacks, where a malicious-but-
unprivileged user tricks a more privileged user into viewing
a page.
In this case, I'm inclined to drop the fix; the
'checkPermission' API is used only by code which is explicitly
security conscious, and should be expected to handle such
things itself.
________________________________________
= Request - Entry #1 by tmclaugh on May 6, 2005 8:31 am
Uploaded: "checkPermission.zip"
- http://www.zope.org/Collectors/Zope/1774/checkPermission.zip/view
Patches for ImplPython.py and cAccessControl.c to make checkPermission honor Role proxies. Patches against 2.7.5.
==============================================================
More information about the Zope-Collector-Monitor
mailing list