[Zope] Re: Re: Re: Blocking Sibling inheritance

Stefan H. Holek stefan at epy.co.at
Thu Mar 10 10:18:42 EST 2005


Please put this in the collector or it may get lost.

Thanks,
Stefan


On 10. Mär 2005, at 11:07, Malcolm Cleaton wrote:

> On Wed, 09 Mar 2005 19:23:53 +0100, Dieter Maurer wrote:
>> Malcolm Cleaton wrote at 2005-3-9 10:59 +0000:
>>> The issue can be worked around more easily than this. It is only the 
>>> magic
>>> "Authenticated" role which appears to suffer from this problem.
>>
>> It should not be necessary:
>>
>>    A user should not be able to access any *protected* (!) object
>>    outside the subhierarchy governed by the user folder
>>    that authenticated the user.
>>
>> But maybe, we have a bug (and "aq_inContextOf" does not work
>> as expected).
>
> Yes, this shouldn't be necessary, and it looks like it's a bug.
>
> Looks to me like the bug is in User.py's allowed method. Quite simply,
> when it checks for the Authenticated role, it doesn't call
> self._check_context, so never attempts to detect and foil acquisition
> tricks. Unless I'm missing something, it should be a quick and easy 
> fix.
>
> Thanks,
> Malcolm.

--
Software Engineering is Programming when you can't. --E. W. Dykstra



More information about the Zope mailing list