[Zope] Re: Re: Re: Blocking Sibling inheritance
Greg Fischer
retheoff at gmail.com
Thu Mar 10 11:32:45 EST 2005
I did last week.
On Thu, 10 Mar 2005 16:18:42 +0100, Stefan H. Holek <stefan at epy.co.at> wrote:
> Please put this in the collector or it may get lost.
>
> Thanks,
> Stefan
>
>
> On 10. Mär 2005, at 11:07, Malcolm Cleaton wrote:
>
> > On Wed, 09 Mar 2005 19:23:53 +0100, Dieter Maurer wrote:
> >> Malcolm Cleaton wrote at 2005-3-9 10:59 +0000:
> >>> The issue can be worked around more easily than this. It is only the
> >>> magic
> >>> "Authenticated" role which appears to suffer from this problem.
> >>
> >> It should not be necessary:
> >>
> >> A user should not be able to access any *protected* (!) object
> >> outside the subhierarchy governed by the user folder
> >> that authenticated the user.
> >>
> >> But maybe, we have a bug (and "aq_inContextOf" does not work
> >> as expected).
> >
> > Yes, this shouldn't be necessary, and it looks like it's a bug.
> >
> > Looks to me like the bug is in User.py's allowed method. Quite simply,
> > when it checks for the Authenticated role, it doesn't call
> > self._check_context, so never attempts to detect and foil acquisition
> > tricks. Unless I'm missing something, it should be a quick and easy
> > fix.
> >
> > Thanks,
> > Malcolm.
>
> --
> Software Engineering is Programming when you can't. --E. W. Dykstra
>
> _______________________________________________
> Zope maillist - Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope-dev )
>
--
Greg Fischer
1st Byte Solutions
http://www.1stbyte.com
More information about the Zope
mailing list