[Zope] Zope and roles and hierarchy
Lennart Regebro
regebro at gmail.com
Sat Feb 11 06:09:11 EST 2006
On 2/11/06, Kees de Brabander <cj.de.brabander at hccnet.nl> wrote:
> Unaware of any security risks I used this "feature" from zope 1.10.x on and
> regularly upgrading my applications I had no problems until zope 2.7.8
Admittedly, I didn't use 1.10, I only discovered Zope two months
later, with 2.0.1. And I don't remember those details that far back.
But at least in 2.4.0, this code was called when you did
user.allowed():
def _check_context(self, object):
# Check that 'object' exists in the acquisition context of
# the parent of the acl_users object containing this user,
# to prevent "stealing" access through acquisition tricks.
# Return true if in context, false if not or if context
# cannot be determined (object is not wrapped).
parent = getattr(self, 'aq_parent', None)
context = getattr(parent, 'aq_parent', None)
if context is not None:
if object is None:
return 1
if not hasattr(object, 'aq_inContextOf'):
if hasattr(object, 'im_self'):
# This is a method. Grab its self.
object=object.im_self
if not hasattr(object, 'aq_inContextOf'):
# Object is not wrapped, so return false.
return 0
if object.aq_inContextOf(context, 1):
return 1
# This is lame, but required to keep existing behavior.
return 1
And hence, you can't have done this after Zope 2.4.0. So I still think
you are talking about something else.
--
Lennart Regebro, Nuxeo http://www.nuxeo.com/
CPS Content Management http://www.cps-project.org/
More information about the Zope
mailing list