[zope2-tracker] [Bug 578326] [NEW] Products.Five: browser.view directive ignores access control directives.
Martijn Pieters
launchpad.net at zopatista.com
Mon May 10 11:46:30 EDT 2010
*** This bug is a security vulnerability ***
Public security bug reported:
The following zcml should protect the listed page with the zope2.Private
permission (e.g. not viewable at all from the web):
<configure
xmlns="http://namespaces.zope.org/zope"
xmlns:browser="http://namespaces.zope.org/browser">
<browser:view
name="foo"
for="*"
class=".foo.FooView
permission="zope2.Private"
>
<browser:page name="bar attribute="bar" />
</browser:view>
</configure>
However, the @@foo/bar page is perfectly accessible, because the
Products.Five.browser.metaconfigure.view configuration handler
effectively ignores the permission.
There is in fact no way to protect a view (and the associated pages)
from anonymous access with ZCML. The allowed_interface and
allowed_attributes are similarly ignored.
Workaround: use old-style security=ClassSecurityInfo() markers on the
view class itself. This only works with attribute-based pages.
** Affects: zope2
Importance: Undecided
Status: New
** Visibility changed to: Public
--
Products.Five: browser.view directive ignores access control directives.
https://bugs.launchpad.net/bugs/578326
You received this bug notification because you are a member of Zope 2
Developers, which is subscribed to Zope 2.
More information about the zope2-tracker
mailing list