[Zope] Re: Security Hole
in ZPublisher.BaseRequest.BaseRequest.traverse?
Chris Withers
chris at simplistix.co.uk
Fri Feb 18 06:49:57 EST 2005
Dieter Maurer wrote:
> I already answered this question (implicitly) in an earlier
> message:
>
> ZPublisher cannot use "restrictedTraverse" because
> authentication happens only at the end of traversal.
>
> Up to this point, there is no user and
> "restrictedTraverse" is likely to fail.
Okay, but maybe this should change? I know it's caused you problems in
the past and resulted in having to implement a post-traversal hook/hack...
There's still one remaining question:
What role-to-permissions mappings do you set so that no-one can access a
particular object's contents, once they know its id?
(ie: o-x)
cheers,
Chris
--
Simplistix - Content Management, Zope & Python Consulting
- http://www.simplistix.co.uk
More information about the Zope
mailing list