[Zope-dev] Re: Security audit introduced problem in PageTemplates/Expression.py

Tres Seaver tseaver at zope.com
Thu Jan 15 17:04:03 EST 2004


Dieter Maurer wrote:
> Jim Fulton wrote at 2004-1-15 10:03 -0500:
> 
>>...
>>Right. The name attribute was intended for attribute-based access.
>>
>>IMO, it makes no sense to consider key values when doing security
>>checks.
>>
>>
>>>I will let Jim comment on your use case.
>>
>>What use case?  I missed it. Where is it?
> 
> 
> "AccessControl.SecurityInfo.SecurityInfo.setDefaultAccess"
> allows integers, strings, dictionary mapping names to integers
> and function with signature "name,value --> boolean" as
> arguments.
> 
> The motivation is that some attributes may be accessible
> while others should not. It is highly likely that
> this decision is based on the attribute name.
> When "None" is passed as name, you loose...

None is never passed when validating *attribute* access;  it is (now) 
passed when validating *item* access (think sequence as well as mapping 
items).  The rationale was that there were no known cases where item 
access was being discriminated based on the key, and that casually 
passing the key / index around was a source of bugs.

We can look at reverting that, if somebody has a convincing use case 
which requires protecting item access based on the key / index.

Tres.
-- 
===============================================================
Tres Seaver                                tseaver at zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com



More information about the Zope-Dev mailing list