[Zope] 'Inherited' Security Problem
Dieter Maurer
dieter@handshake.de
Fri, 27 Jun 2003 00:49:11 +0200
Ralph vd Houdt wrote at 2003-6-25 09:08 +0200:
> After I upgraded to zope 2.6.0 I'm no longer able to use dtml-var to include
> a restricted dtml method in a non restricted dtml method. The previous
> versions of zope would give me the possibility to log in the see the
> complete page or to deny complete access. Nowadays the page gives a KeyError
> with the value of the restricted page.
>
> Does anyone has a solution?
I do not have a solution just a remark.
The (in my view) bug was introduced a long time ago.
Apparently, a security fanatist decided that unauthorized objects
should not be seen at all (and converted some "Unauthorized" into "KeyError").
However, it might also have been introduced accidentally.
You may file a bug report. However, as Zope's security code is quite
weird, I have little hope that the behaviour will be changed in Zope 2.
As a (nasty) workaround, you might catch the "KeyError" exception
and raise an "Unauthorized" again.
An alternative would be to leave DTML and use ZPT instead.
Dieter