[Zope-dev] Security still wierd
Michael R. Bernstein
webmaven@lvcm.com
01 Aug 2001 13:32:21 -0700
On 01 Aug 2001 13:01:21 -0700, Michael R. Bernstein wrote:
> On 01 Aug 2001 20:01:12 +0200, Joachim Werner wrote:
> > > Supposedly, setting __allow_access_to_unprotected_subobjects__ = 0
> >
> > I **might** have found an answer to this:
> > [snip]
> > Seems that "__allow_access_to_unprotected_subobjects__ = 0" is wrong. It
> > should either be "1" or a dictionary of permissions ...
> >
> > Does that help a bit?
>
> Ok, so I tried to set '__allow_access_to_unprotected_subobjects__ = {}'
> in the class, but this *still* has no effect.
Correction: This *does* disallow access to attributes and methods from
unrestricted code, ie:
<dtml-with TestInstance>
<dtml-var method>
</dtml-with>
raises an unauthorized exception (progress!). However, *traversing* to
the unprotected methods is still being alowed, where I'm fairly certain
that it shouldn't be.
The only thing I'm doing with traversal (assuming that my code is at
fault here) is the following:
def __getitem__(self, id):
return self.Entries[id].__of__(self)
Entries is a dictionary that uses id as a key, and instances of my
EntryClass as values.
Could this be screwing with the security somehow, and allowing access to
unprotected methods of my main class?
Thanks for the help,
michael Bernstein.