[Zope3-dev] Zope 3 security issues
Chris Withers
chrisw@nipltd.com
Fri, 01 Mar 2002 20:01:51 +0000
Steve Alexander wrote:
>
> 2: What should we do about supporting
> __allow_access_to_unprotected_subobjects__ ?
>
> At present, I've allowed access to attributes of such objects, and to
> methods of such objects, provided they are not already protected by
> a __permission__ declaration.
To echo Casey's comments: I'd be sorely tempted to fly/drive/run to where whoever moves
this into Zope 3 lives and remove some body parts with a suitably blunt spoon!
Please! certainly in 3X we need to find graceful correct ways of solving these problems, I
suspect the ZopeSecurityPolicy is gonna need some work to handle stuff properly,
specifically the case where the security information for an objetc is actually held
somewhere else (like in the ObjectHub metadata table...)
cheers,
Chris
PS:
> At present, I've punted, and advised Stephan to add an
> __allow_access_to_unprotected_subobjects__ to HTTPRequest and
> HTTPResponse on his branch.
If this comes off the branch like that, I'm booking tickets and hiring surgical spoons!
;-)