[Zope-dev] [zope2] Help needed with security checks and add views

[Martin Aspeli]

Hi Hanno,

On 27 June 2010 00:24, Hanno Schlichting <hanno at hannosch.eu> wrote:
> Hi there,
>
> recently MJ opened a security related bug and disclosed it to the
> public at https://bugs.launchpad.net/zope2/+bug/578326.
>
> In short Zope 2 never supported the permission attribute on ZCML
> browser:view declarations. It seems some people might have specified
> this attribute and assumed it would do something.
>
> I have added a warning message to Zope 2 (trunk + 2.12 branch) which
> warns about those cases. This is similar to how we handle other such
> cases like the unsupported <require set_schema=".." /> and <require
> set_attributes="..." /> on class directives.
>
> But it turns out that Zope 2 itself is using this in one place, that
> looks like it ought to have a security declaration. The
> Products.Five.adding.ContentAdding class registered as an add view
> ("+") has no working security declarations I can see, and only has
> such a non-functioning permission="zope2.ViewManagementScreens" set.
> I'm not familiar enough with the add view concept to understand what
> this is doing. It also looks like both CMF and Plone use similar
> registrations for their add views.

And Dexterity, I suggest.

> Ideally I'd love to add support for the permission attribute, as
> clearly people have been using it. But if there's nobody who can
> figure out how to do that, I'd at least like to clarify the add view
> case.

Why can't we just copy the relevant code from the browser:page directive?

The ViewSecurityGrokker in
http://svn.zope.org/five.grok/trunk/src/five/grok/meta.py?rev=112163&view=auto
may be useful reading too. It should be doing the same thing, no?

Martin