[Zope] Re: Re: Re: Blocking Sibling inheritance

Malcolm Cleaton malcolm at jamkit.com
Thu Mar 10 05:07:37 EST 2005


On Wed, 09 Mar 2005 19:23:53 +0100, Dieter Maurer wrote:
> Malcolm Cleaton wrote at 2005-3-9 10:59 +0000:
>>The issue can be worked around more easily than this. It is only the magic
>>"Authenticated" role which appears to suffer from this problem.
> 
> It should not be necessary:
> 
>    A user should not be able to access any *protected* (!) object
>    outside the subhierarchy governed by the user folder
>    that authenticated the user.
> 
> But maybe, we have a bug (and "aq_inContextOf" does not work
> as expected).

Yes, this shouldn't be necessary, and it looks like it's a bug.

Looks to me like the bug is in User.py's allowed method. Quite simply,
when it checks for the Authenticated role, it doesn't call
self._check_context, so never attempts to detect and foil acquisition
tricks. Unless I'm missing something, it should be a quick and easy fix.

Thanks,
Malcolm.

-- 

    [] j a m k i t
      web solutions for charities

         malcolm cleaton
T:  020 7549 0520
F:  020 7490 1152
M:  07986 563852
W: www.jamkit.com




More information about the Zope mailing list