[Zope] 'Inherited' Security Problem

Dieter Maurer dieter@handshake.de
Fri, 27 Jun 2003 00:49:11 +0200


Ralph vd Houdt wrote at 2003-6-25 09:08 +0200:
 > After I upgraded to zope 2.6.0 I'm no longer able to use dtml-var to include
 > a restricted dtml method in a non restricted dtml method. The previous
 > versions of zope would give me the possibility to log in the see the
 > complete page or to deny complete access. Nowadays the page gives a KeyError
 > with the value of the restricted page.
 > 
 > Does anyone has a solution?

I do not have a solution just a remark.

The (in my view) bug was introduced a long time ago.
Apparently, a security fanatist decided that unauthorized objects
should not be seen at all (and converted some "Unauthorized" into "KeyError").
However, it might also have been introduced accidentally.

You may file a bug report. However, as Zope's security code is quite
weird, I have little hope that the behaviour will be changed in Zope 2.

As a (nasty) workaround, you might catch the "KeyError" exception
and raise an "Unauthorized" again.
An alternative would be to leave DTML and use ZPT instead.


Dieter