[Zope-dev] Re: names starting with '@' are not reserved
Dieter Maurer
dieter at handshake.de
Wed Mar 15 15:51:50 EST 2006
yuppie wrote at 2006-3-15 11:23 +0100:
> ...
>Zope 2's checkValidId makes sure this doesn't happen with Zope 2 folder
>methods, Zope 3's NameChooser makes sure this doesn't happen with Zope 3
>folder views. Even the bad_id-patch described above doesn't allow to
>override folder methods.
Maybe, the "checkValidId" should refuse to add an object with
an id that hides a view declared for this folder and not
reject any id that might (potentially) hide a view because
it starts with "@" or "+"...
This would prevent the security concerns you seem to have
and allows for most ids to be accepted...
--
Dieter
More information about the Zope-Dev
mailing list