[Zope-dev] ZCatalog and indexes cleanup

yuppie y.2009 at wcm-solutions.de
Mon Jun 29 13:33:54 EDT 2009


Hi Andreas!


Andreas Jung wrote:
> On 29.06.09 12:48, yuppie wrote:
>> 3.) remove security declarations from ZCTextIndex and DateRangeIndex
>>
>> All the other indexes don't have security declarations. AFAICS there is 
>> no way to access indexes from untrusted code without having the 'Manage 
>> ZCatalogIndex Entries' permission.
>>   
> 
> I think that all index implementation should have security assertions?!

Why?

'_catalog.indexes' is protected by the underscore and using the 
'Indexes' alias is protected by 'Manage ZCatalogIndex Entries'. Only 
additional security restrictions would have any effect.

Or am I missing a security hole?

Cheers,

	Yuppie



More information about the Zope-Dev mailing list