[Zope-dev] security problem in an monkey-patch
Joachim Schmitz
js at aixtraware.de
Wed Sep 19 05:54:48 EDT 2007
Hi,
I have monkey-patched the QueueCatalog to adopt it to our needs, which
works fine. I now wanted to introduce a new feature:
The QueueCatalog should be bypassed during mass-import of data.
So I introduced a new variable "_bypass", and new getBypassQueue() and
setBypassQueue methods in the monkey-patch:
security.declareProtected(view_management_screens, 'getBypassQueue')
def getBypassQueue(self):
"get _by_pass"
if not hasattr(self,"_bypass"):
self._bypass = False
return self._bypass
security.declareProtected(view_management_screens, 'setBypassQueue')
def setBypassQueue(self, bypass=False):
"set _bypass"
self._bypass = bypass
from Products.QueueCatalog.QueueCatalog import QueueCatalog
QueueCatalog.getBypassQueue = getBypassQueue
QueueCatalog.setBypassQueue = setBypassQueue
I can invoke these methods from the url like:
../portal_catalog/setBypassQueue?bypass=1
and
../portal_catalog/getBypassQueue
displays a 1
But when I do a:
<input type="checkbox" name="enable_bypass"
tal:attributes="checked
here/portal_catalog/getBypassQueue" />
I get:
Unauthorized: The container has no security assertions. Access to
'getBypassQueue' of (QueueCatalog at /uniben/portal_catalog) denied.
What I am missing here.
--
Gruß Joachim
More information about the Zope-Dev
mailing list