[Zope-dev] Re: Security audit introduced problem
in PageTemplates/Expression.py
Jim Fulton
jim at zope.com
Thu Jan 15 17:23:20 EST 2004
Dieter Maurer wrote:
> Jim Fulton wrote at 2004-1-15 10:03 -0500:
>
>>...
>>Right. The name attribute was intended for attribute-based access.
>>
>>IMO, it makes no sense to consider key values when doing security
>>checks.
>>
>>
>>>I will let Jim comment on your use case.
>>
>>What use case? I missed it. Where is it?
>
>
> "AccessControl.SecurityInfo.SecurityInfo.setDefaultAccess"
> allows integers, strings, dictionary mapping names to integers
> and function with signature "name,value --> boolean" as
> arguments.
>
> The motivation is that some attributes may be accessible
> while others should not. It is highly likely that
> this decision is based on the attribute name.
> When "None" is passed as name, you loose...
None should never be passed for attribute accesses. If it is,
then there is a bug. The case of dictionary mapping names to
whatever is for attribute access. We are talking about item/key
access. I haven't seen a use case for needing to specify separate access
for separate key values.
BTW, telling me that an algorithm has changed doesn't constitute
a use case. :) I know that algorithm has changed. I assert that
we don't need the feature that the change broke. I am open
to evidence to the contrary.
Jim
--
Jim Fulton mailto:jim at zope.com Python Powered!
CTO (540) 361-1714 http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org
More information about the Zope-Dev
mailing list