[Zope-dev] Re: 2.7.3 beta attribute permission problems

Dieter Maurer dieter at handshake.de
Wed Oct 20 14:02:05 EDT 2004


Santi Camps wrote at 2004-10-20 07:18 +0200:
> ...
>Anyway, I can't understand a behaviour that allows to access a method
>directly from the URL and crashes when the access is done from a ZPT.

"ZPublisher" (more precisely: "ZPublisher.BaseRequest.BaseRequest.traverse")
is responsible for security checking for Web traversal. It uses a
different approach then "AccessControl" (which protects access
from restricted code).

As you found out:

   Tres fixed a security whole in "AccessControl"
   but a similar whole is still present in "ZPublisher"...

> ...
>On the other hand, I don't think that current code could be considered a
>security hole.  If a method is unprotected, then the protection of the
>object itself is applied.   I like it.

But the names chosen to control this behaviour
("__allow_access_to_unprotected_subobjects__") suggests that this
should not apply automatically.

-- 
Dieter


More information about the Zope-Dev mailing list