[Zope3-dev] queryAdapter via __conform__
Jim Fulton
jim at zope.com
Mon Feb 23 13:18:27 EST 2004
Dominik Huber wrote:
> If queryAdapter is called by a view, the result is an unproxied adapted object.
Well, if the object being adaptged is proxied, then queryAdapter will
either return the object itself, which would be proxied, or it would return
an adapter of the proxied object, in which case you have an adapter
of a proxy, and the underlying object is protected.
> If __conform__ is invoked during this call, the resulting adapted object is proxied.
If you are getting a proxy from __conform__, then the underlying object
was proxied and the resulting adapter should be proxied.
> I would suggest to extend queryAdapter by a removeAllProxies to provid a consistent behavior. Thus for example
> the __conform__ mechansim could also used in the widget framework (editview).
No.
> I will checking this changes if nobody has objections.
I object. Don't check this change in.
Such a change would cause __conform__ to be a security hole.
Why is a security-proxied adapter a problem?
Jim
--
Jim Fulton mailto:jim at zope.com Python Powered!
CTO (540) 361-1714 http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org
More information about the Zope3-dev
mailing list