[ZCM] [ZC] 1774/ 3 Comment "fix for checkPermission"

Collector: Zope Bugs, Features, and Patches ... zope-coders-admin at zope.org
Fri May 6 10:48:32 EDT 2005 

Issue #1774 Update (Comment) "fix for checkPermission"
 Status Pending, Zope/bug+solution medium
To followup, visit:
  http://www.zope.org/Collectors/Zope/1774

==============================================================
= Comment - Entry #3 by tseaver on May 6, 2005 10:48 am

Another "substantive" note:

  - Patching the tests with a testcase which fails before the
    main patch, but succeeds afterwards, ensures that the fix
    doesn't get regressed later.  Especially for the securit
    machinery, such testing is probably critical, and it will
    take longer for somebody who doesn't understand the intent
    to write than for the original author of the patch.
________________________________________
= Comment - Entry #2 by tseaver on May 6, 2005 10:46 am

Thanks for the patch.  A couple of "mechanical" things I've noted which will help with future sumisisons:

  - Please don't use tab characters in Zope's Python source.

  - If you can, creating a unified diff or a context diff makes
    the patch more comprehensible.

And a substantive one:

  - The 'ownerous' check should either be dropped, or it should
    be enforced across the board (e.g., not short-circuited
    by 'context.user_allowed').  The point of that machinery is
    to prevent "Trojan horse" attacks, where a malicious-but-
    unprivileged user tricks a more privileged user into viewing
    a page.

    In this case, I'm inclined to drop the fix;  the
    'checkPermission' API is used only by code which is explicitly
    security conscious, and should be expected to handle such
    things itself.
________________________________________
= Request - Entry #1 by tmclaugh on May 6, 2005 8:31 am


Uploaded:  "checkPermission.zip"
 - http://www.zope.org/Collectors/Zope/1774/checkPermission.zip/view
Patches for ImplPython.py and cAccessControl.c to make checkPermission honor Role proxies.  Patches against 2.7.5.
==============================================================

More information about the Zope-Collector-Monitor mailing list