[Zope-dev] Context Acquisition - Security Hole?

Chris Withers chrisw@nipltd.com
Thu, 14 Sep 2000 15:36:57 +0100


Shane Hathaway wrote:
> > How should I got about petitioning
> > for
> > <dtml-var anobject aq_context> to become valid syntax?
> 
> There's one little (okay, big) problem with this idea: aq_context
> strips the security context.  In fact, it could be used to confuse the
> security machinery.
> 
> Let's say I'm Joe Hacker and I have set up membership at
> www.zope.org/Members/jhacker.  I create a DTML method called index_html
> with this:
> 
> <dtml-with Members>
> <dtml-with hathawsh aq_context>
>   <dtml-call expr="index_html.manage_edit('1 0WN U')">
> </dtml-with>
> </dtml-with>

Alright, I give up :-(
This would be really useful, but if it's going to open up security holes
everywhere, then I best leave it alone :-S

cheers,

Chris