[Zope-dev] Re: PermissionGeddon
Florent Guillaume
fg at nuxeo.com
Tue Nov 29 10:05:54 EST 2005
On 26 Nov 2005, at 09:28, Hanno Schlichting wrote:
> The second change is actually related to your permission work.
> First of all I have to thank you for your great work :) But I have
> found one nasty thing.
>
> CopySupport had the following security declaration:
>
> __ac_permissions__=(('Copy or Move', (), ('Anonymous', 'Manager',)),)
> ...
> Globals.default__class_init__(CopySource)
>
> which changed into:
>
> security = ClassSecurityInfo()
> security.setPermissionDefault(copy_or_move, ('Anonymous', 'Manager'))
> ...
> InitializeClass(CopySource)
>
> Now the InitializeClass call is actually an alias for the former
> Globals call, so no change here. But as you wrote yourself, you had
> some trouble with the mysterious __ac_permissions format.
>
> Looking at the actual code in App.class_init in the last paragraph
> I'm quite sure that the former code did effectivly nothing so far.
> The actual setattr call is inside a 'for mname in mnames:' loop
> where mnames is the second element of each security tuple - in this
> special case the mysterious () which results in not going through
> the 'for mname in mnames:' loop at all.
Ok I just fixed SecurityInfo, could you update AccessControl/ and
recheck please?
Florent
--
Florent Guillaume, Nuxeo (Paris, France) Director of R&D
+33 1 40 33 71 59 http://nuxeo.com fg at nuxeo.com
More information about the Zope-Dev
mailing list