[Zope-dev] [zope2] Help needed with security checks and add views

[Hanno Schlichting]

Hi there,

recently MJ opened a security related bug and disclosed it to the
public at https://bugs.launchpad.net/zope2/+bug/578326.

In short Zope 2 never supported the permission attribute on ZCML
browser:view declarations. It seems some people might have specified
this attribute and assumed it would do something.

I have added a warning message to Zope 2 (trunk + 2.12 branch) which
warns about those cases. This is similar to how we handle other such
cases like the unsupported <require set_schema=".." /> and <require
set_attributes="..." /> on class directives.

But it turns out that Zope 2 itself is using this in one place, that
looks like it ought to have a security declaration. The
Products.Five.adding.ContentAdding class registered as an add view
("+") has no working security declarations I can see, and only has
such a non-functioning permission="zope2.ViewManagementScreens" set.
I'm not familiar enough with the add view concept to understand what
this is doing. It also looks like both CMF and Plone use similar
registrations for their add views.

Ideally I'd love to add support for the permission attribute, as
clearly people have been using it. But if there's nobody who can
figure out how to do that, I'd at least like to clarify the add view
case.

Any help appreciated,
Hanno