[Zope-dev] ZCatalog and indexes cleanup
Andreas Jung
lists at zopyx.com
Mon Jun 29 13:42:27 EDT 2009
On 29.06.09 19:33, yuppie wrote:
> Hi Andreas!
>
>
> Andreas Jung wrote:
>
>> On 29.06.09 12:48, yuppie wrote:
>>
>>> 3.) remove security declarations from ZCTextIndex and DateRangeIndex
>>>
>>> All the other indexes don't have security declarations. AFAICS there is
>>> no way to access indexes from untrusted code without having the 'Manage
>>> ZCatalogIndex Entries' permission.
>>>
>>>
>> I think that all index implementation should have security assertions?!
>>
> Why?
>
> '_catalog.indexes' is protected by the underscore and using the
> 'Indexes' alias is protected by 'Manage ZCatalogIndex Entries'. Only
> additional security restrictions would have any effect.
>
> Or am I missing a security hole?
Not sure. I created a catalog /catalog and an index 'my_index'.
Within a debug shell:
>>> app.catalog.Indexes['my_index']
<FieldIndex at my_index>
>>> app.unrestrictedTraverse('catalog/Indexes/my_index')
<FieldIndex at /catalog//my_index>
>>> app.restrictedTraverse('catalog/Indexes/my_index')
Traceback (most recent call last):
File "<stdin>", line 1, in ?
File
"/Users/ajung/sandboxes/Zope-2.11/2.11/lib/python/OFS/Traversable.py",
line 301, in restrictedTraverse
return self.unrestrictedTraverse(path, default, restricted=True)
File
"/Users/ajung/sandboxes/Zope-2.11/2.11/lib/python/OFS/Traversable.py",
line 236, in unrestrictedTraverse
next = guarded_getattr(obj, name)
AccessControl.unauthorized.Unauthorized: You are not allowed to access
'Indexes' in this context
hmmmm...
Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lists.vcf
Type: text/x-vcard
Size: 316 bytes
Desc: not available
Url : http://mail.zope.org/pipermail/zope-dev/attachments/20090629/2c67ef06/attachment.vcf
More information about the Zope-Dev
mailing list