[Zope] Re: Re: Re: Blocking Sibling inheritance
Stefan H. Holek
stefan at epy.co.at
Thu Mar 10 10:18:42 EST 2005
Please put this in the collector or it may get lost.
Thanks,
Stefan
On 10. Mär 2005, at 11:07, Malcolm Cleaton wrote:
> On Wed, 09 Mar 2005 19:23:53 +0100, Dieter Maurer wrote:
>> Malcolm Cleaton wrote at 2005-3-9 10:59 +0000:
>>> The issue can be worked around more easily than this. It is only the
>>> magic
>>> "Authenticated" role which appears to suffer from this problem.
>>
>> It should not be necessary:
>>
>> A user should not be able to access any *protected* (!) object
>> outside the subhierarchy governed by the user folder
>> that authenticated the user.
>>
>> But maybe, we have a bug (and "aq_inContextOf" does not work
>> as expected).
>
> Yes, this shouldn't be necessary, and it looks like it's a bug.
>
> Looks to me like the bug is in User.py's allowed method. Quite simply,
> when it checks for the Authenticated role, it doesn't call
> self._check_context, so never attempts to detect and foil acquisition
> tricks. Unless I'm missing something, it should be a quick and easy
> fix.
>
> Thanks,
> Malcolm.
--
Software Engineering is Programming when you can't. --E. W. Dykstra
More information about the Zope
mailing list