[Zope-CMF] CMF 1.5 beta coming -- last call before feature freeze!

Gregoire Weber gregweb at gmx.ch
Thu Aug 5 13:03:36 EDT 2004


Hi Tres,

>  $ bin/zopectl debug
>  >>> catalog = app.site.portal_catalog
>  >>> from Products.ZCatalog.ZCatalog import ZCatalog
>  >>> ZCatalog.searchResults(catalog)
>  []
>
>If we make the new method private (which seems right), then anyone who would be allowed to call it could equally well import the ZCatalog class (as I just did) and call it's searchResults method without method dispatch.
>
>The reason I think it should be private is that otherwise it would open the possibility that a user would be able to see results for:
>
>  - objects she couldn't then view (since we bypass the
>    'alloweRolesAndUsers' check)
>
>  - objects either not yet effective or already expired, but without
>    having the corresponding AccessInactivePortalContent permission.

To make it non private opens a security whole ...

A coder using ZCatalog.serachResults(catalog) breaks CMFIdea (the CMF idea 
of only accessing foreign modules through getToolByName or siteroot.portal_foreigntool).

I could use this for CMFUid. It would be nice to have it before the CMF 1.5 beta (or 
at least before the final).

>Sites have use cases which need to bypass these restrictions for "normal" use should probably be replacing the 'portal_catalog' tool.

I agree.

Gregoire




More information about the Zope-CMF mailing list