[Zope-dev] Re: 2.7.3 beta attribute permission problems
Dieter Maurer
dieter at handshake.de
Wed Oct 20 14:02:05 EDT 2004
Santi Camps wrote at 2004-10-20 07:18 +0200:
> ...
>Anyway, I can't understand a behaviour that allows to access a method
>directly from the URL and crashes when the access is done from a ZPT.
"ZPublisher" (more precisely: "ZPublisher.BaseRequest.BaseRequest.traverse")
is responsible for security checking for Web traversal. It uses a
different approach then "AccessControl" (which protects access
from restricted code).
As you found out:
Tres fixed a security whole in "AccessControl"
but a similar whole is still present in "ZPublisher"...
> ...
>On the other hand, I don't think that current code could be considered a
>security hole. If a method is unprotected, then the protection of the
>object itself is applied. I like it.
But the names chosen to control this behaviour
("__allow_access_to_unprotected_subobjects__") suggests that this
should not apply automatically.
--
Dieter
More information about the Zope-Dev
mailing list