[Zope-dev] [zope2] Help needed with security checks and add views
Martin Aspeli
optilude+lists at gmail.com
Sat Jul 10 06:14:45 EDT 2010
On 27 June 2010 00:24, Hanno Schlichting <hanno at hannosch.eu> wrote:
> Hi there,
>
> recently MJ opened a security related bug and disclosed it to the
> public at https://bugs.launchpad.net/zope2/+bug/578326.
>
> In short Zope 2 never supported the permission attribute on ZCML
> browser:view declarations. It seems some people might have specified
> this attribute and assumed it would do something.
>
> I have added a warning message to Zope 2 (trunk + 2.12 branch) which
> warns about those cases. This is similar to how we handle other such
> cases like the unsupported <require set_schema=".." /> and <require
> set_attributes="..." /> on class directives.
>
> But it turns out that Zope 2 itself is using this in one place, that
> looks like it ought to have a security declaration. The
> Products.Five.adding.ContentAdding class registered as an add view
> ("+") has no working security declarations I can see, and only has
> such a non-functioning permission="zope2.ViewManagementScreens" set.
> I'm not familiar enough with the add view concept to understand what
> this is doing. It also looks like both CMF and Plone use similar
> registrations for their add views.
>
> Ideally I'd love to add support for the permission attribute, as
> clearly people have been using it. But if there's nobody who can
> figure out how to do that, I'd at least like to clarify the add view
> case.
Fixed in r114488 (2.12 branch) and r114490 (trunk). I don't think I'm
allowed to close the issue on Launchpad, but it should be fine now.
Cheers,
Martin
More information about the Zope-Dev
mailing list