[Zope3-dev] security frustrations

Roger Ineichen dev at projekt01.ch
Wed Aug 10 04:41:11 EDT 2005


Hi Benji

> Behalf Of Benji York
> Sent: Tuesday, August 09, 2005 4:49 PM
> To: dev at projekt01.ch
> Cc: zope3-dev at zope.org; 'Martijn Faassen'
> Subject: Re: [Zope3-dev] security frustrations
> 
> Roger Ineichen wrote:
> > Remember that you don't have a location and check security
> > isn't possible if you use subscribers in this state and if 
> > you use it together with a local PAU.
> 
> Roger, I'm afraid I don't fully understand your response, but 
> perhaps it 
> will clarify things if I say that I intended for the 
> permission on the 
> trusted adapter to be zope.Public.

Ok, in this special case it's working, but if you register
the adapter different then "zope.Public" it doesn't work.
But only because in this case is no security check lookup!
All other permission will be lookuped and don't have a 
chance to get the local PAU because of the missing location.
(__parent__ = None) 

It's really simple created objects before added to a container
can't be located and act only with global utilities instead of
local ones. It's strongly recommended that nobody is doing 
security related operations with subscribers in this state 
of a object. This works in a global site setup but not in
a local site with a local PAU.

Regards
Roger Ineichen

> Benji York
> Senior Software Engineer
> Zope Corporation
> _______________________________________________
> Zope3-dev mailing list
> Zope3-dev at zope.org
> Unsub: 
> http://mail.zope.org/mailman/options/zope3-dev/dev%40projekt01.ch
> 
> 



More information about the Zope3-dev mailing list