[Zope] Zope and roles and hierarchy

Lennart Regebro regebro at gmail.com
Sat Feb 11 06:09:11 EST 2006

On 2/11/06, Kees de Brabander <cj.de.brabander at hccnet.nl> wrote:
> Unaware of any security risks I used this "feature" from zope 1.10.x on and
> regularly upgrading my applications I had no problems until zope 2.7.8

Admittedly, I didn't use 1.10, I only discovered Zope two months
later, with 2.0.1. And I don't remember those details that far back.
But at least in 2.4.0, this code was called when you did

    def _check_context(self, object):
        # Check that 'object' exists in the acquisition context of
        # the parent of the acl_users object containing this user,
        # to prevent "stealing" access through acquisition tricks.
        # Return true if in context, false if not or if context
        # cannot be determined (object is not wrapped).
        parent  = getattr(self, 'aq_parent', None)
        context = getattr(parent, 'aq_parent', None)
        if context is not None:
            if object is None:
                return 1
            if not hasattr(object, 'aq_inContextOf'):
                if hasattr(object, 'im_self'):
                    # This is a method.  Grab its self.
                if not hasattr(object, 'aq_inContextOf'):
                    # Object is not wrapped, so return false.
                    return 0
            if object.aq_inContextOf(context, 1):
                return 1
        # This is lame, but required to keep existing behavior.
        return 1

And hence, you can't have done this after Zope 2.4.0. So I still think
you are talking about something else.

Lennart Regebro, Nuxeo     http://www.nuxeo.com/
CPS Content Management     http://www.cps-project.org/

More information about the Zope mailing list