[Zope-dev] [zope2] Help needed with security checks and add views

Martin Aspeli optilude+lists at gmail.com
Fri Jul 9 04:17:45 EDT 2010


On 9 July 2010 16:12, Hanno Schlichting <hanno at hannosch.eu> wrote:
> On Thu, Jul 8, 2010 at 3:02 PM, Martin Aspeli <optilude+lists at gmail.com> wrote:
>>> Ideally I'd love to add support for the permission attribute, as
>>> clearly people have been using it. But if there's nobody who can
>>> figure out how to do that, I'd at least like to clarify the add view
>>> case.
>>
>> Why can't we just copy the relevant code from the browser:page directive?
>>
>> The ViewSecurityGrokker in
>> http://svn.zope.org/five.grok/trunk/src/five/grok/meta.py?rev=112163&view=auto
>> may be useful reading too. It should be doing the same thing, no?
>
> It seems you have some idea about this code, so are you volunteering
> to implement this?

Possibly. I have client work that has to take priority right now.

> Since we are dealing with a disclosed real security vulnerability
> here, I need to have some resolution by next Tuesday. Either that is
> disabling the functionality or protecting it with some security.

I'd appreciate it if someone who's getting more than four hours of
sleep a night at the moment takes a stab. I'm happy to review/assist.

Martin


More information about the Zope-Dev mailing list