[Zope-dev] strange priv leak
Paul Winkler
pw_lists@slinkp.com
Mon, 19 May 2003 12:50:58 -0400
On Mon, May 19, 2003 at 03:54:44PM -0400, Shane Hathaway wrote:
> Paul Winkler wrote:
> >start declaring security on stuff that's traditionally
> >relied on having no docstring?
>
> We can't, unless we overhaul the security policy. Declarations for
> built-in types get ignored. This is because the security policy depends
> on being able to find a __roles__ attribute on the thing accessed.
ack! ok then, never mind :)
> Even so, we might have to do something like this. As another option, I
> wonder how well it would work to refuse to publish anything that has no
> __roles__ attribute... or some variation on that.
given what you've just told me, that's the obvious solution.
> Zope 2.6 + Python 2.1 tries to disallow access to simple attributes
> because of the number of things it would let you access that you
> couldn't before. Yes, it would be useful, but we need Zope 2.6 + Python
> 2.2 to act the same as Zope 2.6 + Python 2.1.
we do? I thought 2.6 + 2.2 was going to be permanently "not recommended",
and 2.7 + 2.2 was going to be the future.
> You're going to enjoy Zope 3. ;-)
i know, wish i had time to play with it :(
--
Paul Winkler
home: http://www.slinkp.com
"Muppet Labs, where the future is made - today!"