[Zope] Re: Security Hole in ZPublisher.BaseRequest.BaseRequest.traverse?

Chris Withers chris at simplistix.co.uk
Fri Feb 18 06:49:57 EST 2005


Dieter Maurer wrote:

> I already answered this question (implicitly) in an earlier
> message:
> 
>   ZPublisher cannot use "restrictedTraverse" because
>   authentication happens only at the end of traversal.
> 
>   Up to this point, there is no user and
>   "restrictedTraverse" is likely to fail.

Okay, but maybe this should change? I know it's caused you problems in 
the past and resulted in having to implement a post-traversal hook/hack...

There's still one remaining question:

What role-to-permissions mappings do you set so that no-one can access a 
particular object's contents, once they know its id?

(ie: o-x)

cheers,

Chris

-- 
Simplistix - Content Management, Zope & Python Consulting
            - http://www.simplistix.co.uk


More information about the Zope mailing list