[Zope-dev] Re: Security audit introduced problem in
PageTemplates/Expression.py
Tres Seaver
tseaver at zope.com
Thu Jan 15 12:19:19 EST 2004
Jim Fulton wrote:
> Tres Seaver wrote:
>> I will let Jim comment on your use case.
>
>
> What use case? I missed it. Where is it?
Here is Stuart's original post:
> This has the side effect of not passing the name attribute to
> my security assertion methods registered via
> ClassSecurityInfo.setDefaultAccess:
>
> class Foo(blah, blah, blah):
> security = ClassSecurityInfo()
> def _checkAccess(self, name, value):
> if name.startswith('CG'):
> return 1
> return 0
> security.setDefaultAccess(_checkAccess)
>
> def __getitem__(self, key):
> ''' Access via dictionary interface, with security
> provided via _checkAccess
> '''
> return 'example'
The old code allowed this example to work, because it passed 'name' when
validating __getitem__ access.
Tres.
--
===============================================================
Tres Seaver tseaver at zope.com
Zope Corporation "Zope Dealers" http://www.zope.com
More information about the Zope-Dev
mailing list