[Zope-dev] ZCatalog and indexes cleanup
yuppie
y.2009 at wcm-solutions.de
Mon Jun 29 13:33:54 EDT 2009
Hi Andreas!
Andreas Jung wrote:
> On 29.06.09 12:48, yuppie wrote:
>> 3.) remove security declarations from ZCTextIndex and DateRangeIndex
>>
>> All the other indexes don't have security declarations. AFAICS there is
>> no way to access indexes from untrusted code without having the 'Manage
>> ZCatalogIndex Entries' permission.
>>
>
> I think that all index implementation should have security assertions?!
Why?
'_catalog.indexes' is protected by the underscore and using the
'Indexes' alias is protected by 'Manage ZCatalogIndex Entries'. Only
additional security restrictions would have any effect.
Or am I missing a security hole?
Cheers,
Yuppie
More information about the Zope-Dev
mailing list