[Zope-dev] Re: Was: Re: 2.7.3 beta attribute permission problems
Santi Camps
scamps at earcon.com
Mon Oct 25 02:32:15 EDT 2004
En/na Tres Seaver ha escrit:
> Andreas Jung wrote:
>
>>
>>
>> --On Freitag, 22. Oktober 2004 8:38 Uhr -0400 Tres Seaver
>> <tseaver at zope.com> wrote:
>>
>>> Andreas Jung wrote:
>>>
>>>> how severe is the problem that you have fixed? According to some
>>>> rumors the fix seems to break applications. The question for Zope
>>>> 2.7.3 final is: is the problem severe enough to have it fixed for
>>>> 2.7.3 with the risk of causing trouble with broken applications or
>>>> can we defer the fix to Zope 2.8?
>>>
>>>
>>>
>>> -1.
>>>
>>> I have yet to get a reproducible test case (one which breaks on
>>> 2.7-head
>>> but works on 2.7.2) from the examples folks have supplied. The bug
>>> which
>>> I was fixing is a security issue, reported against CMF, but also
>>> affecting Zope: http://zope.org/Collectors/CMF/259
>>>
>>> Given that the change was required to implement a security fix, and
>>> without a reproducible test case for the reported breakage, I don't
>>> think
>>> we can credit the rumors. We *definitely* don't want to defer the
>>> security fix.
>>
>>
>> I am not against the patch...I just need to know what the state of
>> this issue is and what its
>> implications are for the final 2.7.3 release :-)
>
>
> OK, here is my take, rephrased: the patch is there to support an
> important security fix (see the link above). Without a reproducible
> test case (I've tried and failed to make Stefan's reproducible within
> the AccessControl tests), we should just go forward and release 2.7.3.
>
> Applications which use 'setDefaultAccess("deny")' for their content
> objects may need to quit trying to acquire CMF tools implicitly (using
> 'getToolByName' instead, which is the preferred API anyway); that is
> the only case I know of which can be isolated.
>
> Richard Jones reported an issue with the patch, but couldn't give us a
> simple case. Users who *have* such weird applications can reverse the
> patch, find workarounds, or whatever, until they can help us isolate
> the bug.
>
I think that the Product I send to the list last week was a reproducible
simple test case, wasn't it ? If I can help in any other way I will try
to do it.
Regards
Santi Camps
http://www.earcon.com
More information about the Zope-Dev
mailing list