[Grok-dev] custom publication and browserDefault (wrt security)
faassen at startifact.com
Thu Dec 11 11:54:28 EST 2008
Jan-Wijbrand Kolman wrote:
> see https://bugs.launchpad.net/grok/+bug/78325
> Philipp reported this issue and I think his suspicion was correct:
> Grok's custom publication interferes with <browser:page/> declaration
> elsewhere, at least in some ways.
Hm, this looks like a pretty serious security bug then that we should
consider fixing for 0.14.1 as well.
Not sure how to go about fixing it. We need to somehow be able to detect
in Grok's publication.ZopePublicationSansProxy that we're dealing with
such views, and then not remove the original security proxy. An
alternative approach would be to detect that this is going on and do a
manual security check (somehow knowing what permission to check.).
I just closed this issue thinking it was actually a false alarm (I tried
a few small things), but I will re-open it:
More information about the Grok-dev