[Zope-dev] ZCatalog and indexes cleanup

Andreas Jung lists at zopyx.com
Mon Jun 29 13:42:27 EDT 2009


On 29.06.09 19:33, yuppie wrote:
> Hi Andreas!
>
>
> Andreas Jung wrote:
>   
>> On 29.06.09 12:48, yuppie wrote:
>>     
>>> 3.) remove security declarations from ZCTextIndex and DateRangeIndex
>>>
>>> All the other indexes don't have security declarations. AFAICS there is 
>>> no way to access indexes from untrusted code without having the 'Manage 
>>> ZCatalogIndex Entries' permission.
>>>   
>>>       
>> I think that all index implementation should have security assertions?!
>>     
> Why?
>
> '_catalog.indexes' is protected by the underscore and using the 
> 'Indexes' alias is protected by 'Manage ZCatalogIndex Entries'. Only 
> additional security restrictions would have any effect.
>
> Or am I missing a security hole?

Not sure. I created a catalog /catalog and an index 'my_index'.

Within a debug shell:

>>> app.catalog.Indexes['my_index']
<FieldIndex at my_index>


>>> app.unrestrictedTraverse('catalog/Indexes/my_index')
<FieldIndex at /catalog//my_index>


>>> app.restrictedTraverse('catalog/Indexes/my_index')
Traceback (most recent call last):
  File "<stdin>", line 1, in ?
  File
"/Users/ajung/sandboxes/Zope-2.11/2.11/lib/python/OFS/Traversable.py",
line 301, in restrictedTraverse
    return self.unrestrictedTraverse(path, default, restricted=True)
  File
"/Users/ajung/sandboxes/Zope-2.11/2.11/lib/python/OFS/Traversable.py",
line 236, in unrestrictedTraverse
    next = guarded_getattr(obj, name)
AccessControl.unauthorized.Unauthorized: You are not allowed to access
'Indexes' in this context


hmmmm...

Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lists.vcf
Type: text/x-vcard
Size: 316 bytes
Desc: not available
Url : http://mail.zope.org/pipermail/zope-dev/attachments/20090629/2c67ef06/attachment.vcf 


More information about the Zope-Dev mailing list