[Zope3-dev] Zope 3 security issues
Casey Duncan
c.duncan@nlada.org
Fri, 1 Mar 2002 14:24:45 -0500
On Friday 01 March 2002 11:55 am, you wrote:
> Hi Jim,
[snip]
> 3: What should we do about supporting the PageTemplate idiom
> "request/response/setHeader" and similar?
My vote is to shoot the person who calls setHeader in a page template... 8^)
Is declarative security wired up? Maybe you could just use that. Does
HTTPRequest lack an interface so that the declarations can be made in a zcml
file? Ultimately I think that is where they should go.
> Currently, response is an attribute of an HTTPRequest.
>
> At present, I've punted, and advised Stephan to add an
> __allow_access_to_unprotected_subobjects__ to HTTPRequest and
> HTTPResponse on his branch.
> I don't think this is the best way of doing things.
I know we'll need to support this abominiation in Zope 3, but hopefully we
can eradicate it in 3X. Please?!? At least you're doing this on a branch 8^)
> Basically, I've been changing the absolute minimum to get the ZMI
> working now that security is hooked up. Once I know what things are
> supposed to be like, I can go back and do things properly.
/---------------------------------------------------\
Casey Duncan, Sr. Web Developer
National Legal Aid and Defender Association
c.duncan@nlada.org
\---------------------------------------------------/