[Zope-dev] 2.7.3 beta attribute permission problems
Santi Camps
scamps at earcon.com
Tue Oct 19 02:33:02 EDT 2004
En/na Dieter Maurer ha escrit:
>Santi Camps wrote at 2004-10-18 12:37 +0200:
>
>
>>...
>>I have a persistent object A and a non persistent object B. B has
>>implicit acquisition. From trusted code I return B.__of__(A). Trying
>>to access B.meta_type from untrusted code (a ZPT) raises the error. B
>>has no attribute meta_type, so it should be returned from A using
>>implicit acquisition. A has all necessary security assertions.
>>
>>
>
>"meta_type" is probably a string.
>Elementary data types (such as string) do not know
>anything about acquisition.
>The code that checks the permissions cannot (easily) determine
>where it comes from (other than reimplementing acquisition, which
>would not be a good thing).
>
>
>
Yes, meta_type is an attribute of type string, but I don't understand
your reasons. Acquisition, obviously, is not implemented in strings,
but if the object containing meta_type attribute inherits from
Acquisition.Implicit it should work. In fact, it works for Zope 2.7.0
to 2.7.2. The problem appears in Zope 2.7.3, and I think that the
problem is the change I mentioned in AccessControl/cAccessControl.c and
AccessControl/ImplPython.py. I suppose this change is for some
reasonable reason, but if it breaks security validations throught
implicit acqusition I think the change should be considered.
Regards
Santi Camps
http://www.earcon.com
More information about the Zope-Dev
mailing list