[Zope-dev] Re: Security audit introduced problem in
PageTemplates/Expression.py
Dieter Maurer
dieter at handshake.de
Thu Jan 15 14:53:57 EST 2004
Jim Fulton wrote at 2004-1-15 10:03 -0500:
> ...
>Right. The name attribute was intended for attribute-based access.
>
>IMO, it makes no sense to consider key values when doing security
>checks.
>
>> I will let Jim comment on your use case.
>
>What use case? I missed it. Where is it?
"AccessControl.SecurityInfo.SecurityInfo.setDefaultAccess"
allows integers, strings, dictionary mapping names to integers
and function with signature "name,value --> boolean" as
arguments.
The motivation is that some attributes may be accessible
while others should not. It is highly likely that
this decision is based on the attribute name.
When "None" is passed as name, you loose...
--
Dieter
More information about the Zope-Dev
mailing list