[Grok-dev] custom publication and browserDefault (wrt security)

Martijn Faassen faassen at startifact.com
Thu Dec 11 11:54:28 EST 2008

Jan-Wijbrand Kolman wrote:
> see https://bugs.launchpad.net/grok/+bug/78325
> Philipp reported this issue and I think his suspicion was correct:
> Grok's custom publication interferes with <browser:page/> declaration
> elsewhere, at least in some ways.

Hm, this looks like a pretty serious security bug then that we should 
consider fixing for 0.14.1 as well.

Not sure how to go about fixing it. We need to somehow be able to detect 
in Grok's publication.ZopePublicationSansProxy that we're dealing with 
such views, and then not remove the original security proxy. An 
alternative approach would be to detect that this is going on and do a 
manual security check (somehow knowing what permission to check.).

I just closed this issue thinking it was actually a false alarm (I tried 
a few small things), but I will re-open it:




More information about the Grok-dev mailing list