[Zope-dev] Security still wierd

[Michael R. Bernstein]

On 01 Aug 2001 13:32:21 -0700, Michael R. Bernstein wrote:
> On 01 Aug 2001 13:01:21 -0700, Michael R. Bernstein wrote:
> > On 01 Aug 2001 20:01:12 +0200, Joachim Werner wrote:
> > > > Supposedly, setting __allow_access_to_unprotected_subobjects__ = 0
> > > 
> > > I **might** have found an answer to this:
> > > [snip]
> > > Seems that "__allow_access_to_unprotected_subobjects__ = 0" is wrong. It
> > > should either be "1" or a dictionary of permissions ...
> > > 
> > > Does that help a bit?
> > 
> > Ok, so I tried to set '__allow_access_to_unprotected_subobjects__ = {}'
> > in the class, but this *still* has no effect.
> 
> Correction: This *does* disallow access to attributes and methods from
> unrestricted code, ie:
> 
> <dtml-with TestInstance>
>  <dtml-var method>
> </dtml-with>
> 
> raises an unauthorized exception (progress!). However, *traversing* to
> the unprotected methods is still being alowed, where I'm fairly certain
> that it shouldn't be.

Another correction <sigh>: I had a sneaking suspicion, so I went back
and set '__allow_access_to_unprotected_subobjects__ = 0' again. Guess
what, acces from restricted code is *not* being allowed <sigh>. So,
Chris' sugestion was correct, after all.

Well, I apologize if this has confused people. I simply assumed that if
I could traverse to a method, then it was also accessible from
restricted code (I'm not 100% certain that this wasn't a valid
assumption).

So, something wierd is happening WRT traversal here, whether it's a bug
in Zope or my code. Anyone have suggestions on investigating further?

Thanks,

Michael Bernstein.